Publicly exploitable vulnerabilities with Internet Explorer are far more common than many security people would like. The recently discovered VML arbitrary code execution flaw is probably one of the more serious issues to come to light in recent months. Based on a vulnerability in a core component of Internet Explorer, the vulnerability allows attackers to run code of their choice on victim's systems, provided that they can be tricked into viewing malicious content.
This critical step in the process has unfortunately been made much easier in recent days. When exploitation of the issue was first discovered, it was primarily adult websites that were using it to install malware on the systems of visitors. Similar to how the WMF exploitation at the start of the year progressed, VML exploitation took a recent nasty turn. Hosting provider, HostGator, was compromised through what is believed to be a previously unknown cPanel vulnerability and client websites were being redirected to sites that exploited the VML vulnerability - thus infecting systems. In this case, site visitors could be visiting legitimate, trusted websites but end up on a page that is busy installing malicious content. Anecdotal evidence suggests that exploitation is much broader than is being reported by Microsoft and major security providers.
Although there have been a number of serious problems in cPanel over recent months, the most recent issue to be disclosed is a privilege escalation vulnerability that has been reported in the last couple of days. Assuming that this is the issue exploited to take control of HostGator's servers, then this is something that a lot of hosting providers and site administrators need to be very aware of. The very popular site management tool normally installs into known locations, and it doesn't take long to discover whether a site is using cPanel to manage it. To effectively use a privilege escalation exploit, it is necessary to gain access to a legitimate user account, so it would be prudent to ensure that all cPanel administrators and users are using strong passwords. Operators of sites on shared servers need to be aware that the compromise of an account belonging to another site can lead to damage of theirs. cPanel developers have since released an update to the issue, which affects all versions of the software.
Initial response to the VML issue suggested that disabling JavaScript support would be sufficient to protect against exploitation. As exploit samples progressed, it was noticed that this step was not enough - exploits were working even though scripting support had been disabled. Until Microsoft are able to release a patch (believed that is going to be made available with the October security patch release on October 10), the best advice for most users is to use an alternate browser. Advanced users can deregister the affected DLL, though this has a risk of causing further damage to a system if the user gets it wrong, and it prevents legitimate use of functions the DLL supports.
Users who are more adventurous might want to check out a patch released by the Zero Day Emergency Response Team (ZERT), the same group that provided an early patch for the WMF vulnerability from earlier this year. There is still great concern, as public exploit samples have recently been released that provide a means to attack Windows XP SP2 systems, where previous samples have only been available for Windows XP SP1.
Article Directory: http://www.articledashboard.com
Carl is the founder and lead researcher for Sunnet Beskerming (www.beskerming.com), an Information Security company with a difference. Based in Australia, but serving the world, Carl and his company provide services that can't be out-done.
|
