[ISN] IE Exploit Attacks Another Piece of ActiveX
InfoSec News
isn at c4i.org
Thu Jul 8 06:54:09 EDT 2004
http://www.eweek.com/article2/0,1759,1620855,00.asp
By Steven J. Vaughan-Nichols
July 7, 2004
Using Internet Explorer hasn't gotten any safer in the past few days
as a Dutch security hacker, Jelmer Kuperus, pointed out yet another
unblocked security problem in the popular Web browser.
The latest exploit, an attack on a Windows ActiveX component called
Shell.Application, is similar to the Download.Ject attack, also called
JS.Scob.Trojan. In that exploit, crackers broke into IIS servers on
several popular but still unnamed sites and used them to spread
keyboard loggers, proxy servers and other malware through IE's ActiveX
scripting technology.
Indeed, attackers used the spyware technique of installing a pop-up ad
program, except this one silently installed a Trojan and a BHO
(Browser Help Object) designed to swipe login information from several
dozen financial sites.
The sites that spread the malware have since been fixed, but there has
been no master shipping solution for the underlying IE
vulnerabilities. Disabling Active scripting and ActiveX controls in
the Internet Zone and Local Machine Zone will prevent exploitation of
these holes, but at the cost of seriously affecting IE's
functionality.
Microsoft shipped a "patch" Friday that addressed part of this
security problem by disabling the Windows component called
ADODB.Stream.
Because of these developments, CERT (the U.S. Computer Emergency
Readiness Team) and some IT professionals are recommending that users
consider using other browsers such as Opera, Mozilla and Firefox.
Others, noting how so much business depends on ActiveX-powered Web
sites, are sticking with Internet Explorer in the hopes that
forthcoming Microsoft IE security patches and Windows XP SP2 (Service
Pack 2) will protect their systems from the newly exploited IE
security holes.
XP SP2 is expected to stop such attacks by hardening the barriers
between processes running on the Internet Zone and on the far more
dangerous Local Machine Zone, according to Thor Larholm, senior
security researcher at PivX Solutions LLC, a security firm based in
Newport Beach, Calif.
But in the meantime, Kuperus has published code that he claims can be
used to break into Windows systems running IE with the
Shell.Application exploit. The possibility of attacks using
Shell.Application has been known in security circles since at least
January 2004, when it was reported in the @RISK newsletter from The
SANS Institute, a cooperative security research and education
organization.
The Shell.Application exploit, like Download.Ject before it, makes it
possible for crackers to create malicious, self-executing HTML files
that can install and run an executable on the Web browser's PC.
At this time, however, there have been no reported attacks using the
Shell.Application exploit. Microsoft is working on security updates
for Internet Explorer that will address this and other ActiveX
security problems.
Larry Seltzer contributed to this story.
More information about the ISN
mailing list