Announcement

Collapse
No announcement yet.

Microsoft releases temporary fix for IE bug

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Microsoft releases temporary fix for IE bug

    Microsoft has released a temporary patch to fix a "zero-day", or previously unknown, vulnerability in its Internet Explorer (IE) web browser.
    Shouldn't be effecting any of us unless you are still using Windows and inparticular IE. And if you are, the question I ask is why?

    Full article here.
    http://www.bbc.co.uk/news/technology-24142934

    #2
    Because the U. S. Government says so...

    Please Read Me

    Comment


      #3
      Originally posted by oshunluvr View Post
      Because the U. S. Government says so...
      Lol, yeah, it's easier for the NSA folks, too funny, and yet sad.

      Edit: In other news, the wages of the patching staff at Microsoft can power the economy of a small city, lol.

      Comment


        #4
        This is one of the most fsked up vulns I have ever seen.

        CVE-2013-3893 says:
        Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
        Microsoft security advisory 2887505 says:
        Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9... The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.
        In other words, logging on with local admin rights means the Internet becomes a local admin of your PC.

        Microsoft publishes details on the exploit:
        The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9... The exploit was attacking a Use After Free vulnerability in IE’s HTML rendering engine (mshtml.dll) and was implemented entirely in Javascript (no dependencies on Java, Flash etc), but did depend on a Microsoft Office DLL which was not compiled with ASLR (Address Space Layout Randomization) enabled. This DLL (hxds.dll) is loaded into IE by the HTML href attribute shown below:
        Code:
        try { location.href = 'ms-help://' } catch (e) { }
        The purpose of this DLL in the context of this exploit is to bypass ASLR by providing executable code at known addresses in memory, so that a hardcoded ROP (Return Oriented Programming) chain can be used to mark the pages containing shellcode (in the form of Javascript strings) as executable. This can be seen by the fact that ALL the gadgets used by the ROP chain were contained in hxds.dll.
        KB 2887505 has one of those lame "Fix-It" things. It installs an appcompat shim that essentially redirects the exploit away from the vulnerability.

        Ask yourself this: why isn't the damn hxds.dll compiled with ASLR, hmm? In 2011, a fully-updated machine had 9,000 unprotected DLLs. Apparently, two years later, not much has changed.

        Comment


          #5
          Steve,

          Is it safe to say this wouldn't have happened on your watch?
          samhobbs.co.uk

          Comment


            #6
            No, I wasn't part of the QA or release teams. I would have to be the one who stands on stage and explain it all away, though.

            Comment

            Working...
            X