Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

InfoCon Returning to Green

Published: 2006-03-24
Last Updated: 2006-03-25 00:24:21 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We have decided to return the InfoCon to green for the start of the weekend.  We feel that everyone that is going to has reacted to the latest exploit for IE and wanted to start the weekend in normal mode. 

We do want to remind everyone however that this is a serious problem.  We have received information that at least a dozen sites exist out there that are working the exploits.  The information is also circulating on IRC so might be a good idea to kill IRC until the patches are released and in place.  (And no we are not going to tell anyone what the sites are. We cannot and will not release the information so please don't ask.)

Best advise we can give is to disable active scripting to make sure that your computer doesn't get smacked.  And Snort Sig's are available as was indicated earlier.

So use due diligence this weekend and take care to surf safely. Have a great weekend everyone and stay safe.
Keywords:
0 comment(s)

IE exploit on the loose, going to yellow

Published: 2006-03-24
Last Updated: 2006-03-25 00:22:09 UTC
by Jim Clausing (Version: 3)
0 comment(s)

Update: At the urging of Handler Extraordinaire Kyle Haugsness, I tested the sploit on a box with software-based DEP and DropMyRights... here are the results:

Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config'ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed

So, go with the last one, if you are concerned.  By the way, you should be concerned.

--Ed Skoudis
Intelguardians.

Previous Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's "Site rank".

The Bleedingsnort rule has been updated. It has been tested against that particular version of the exploit and works for it. For details, see
this set of rules (last one is the 'createTextRange' rule).



Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability.  One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive).  For that reason, we're raising Infocon to yellow for the next 24 hours. 

Workarounds/mitigation

Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working.  You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

One of our readers asked whether DropMyRights from Microsoft would provide any protection.  We haven't had an opportunity to test that out.  (Update:  We have now tested it... see above update --skoudis).

I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.

References

Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

------------------------
Jim Clausing, jclausing --at-- isc.sans.org
Keywords:
0 comment(s)

Is anyone seeing an increase in port 143 (IMAP) scans?

Published: 2006-03-24
Last Updated: 2006-03-24 22:44:34 UTC
by Deborah Hale (Version: 1)
0 comment(s)
Just curious if anyone is seeing  an increase in port scanning on Port 143? Port 143 is typically used for IMAP.  Please let us know if any of you are seeing an increase in port scan activity.


Keywords:
0 comment(s)

Microsoft Security Advisory (917077)

Published: 2006-03-23
Last Updated: 2006-03-24 20:29:25 UTC
by Deborah Hale (Version: 2)
0 comment(s)
Microsoft has just released a Security Advisory for the HTML Objects vulnerability. This is the reason the Internet Storm Center went to yellow this evening.

From the Microsoft advisory:

"Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

Microsoft Suggested Workarounds:

* Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet  and Local intranet security zones.
* Set Internet and Local intranet security zone settings to "high" to prompt before Active Scripting in these zones.

http://www.microsoft.com/technet/security/advisory/917077.mspx

Microsoft says that they are still investigating and will provide more information as it becomes available.  So stay tuned for further updates.

Keywords:
0 comment(s)
Diary Archives