Select Page

Internet Explorer – another unpatched vulnerability

SANS are flagging a particularly nasty Internet Explorer problem:

the UK group “Computer Terrorism” released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript ‘Window()’ function, if run from ‘onload’. ‘onload’ is an argument to the HTML tag, and is used to execute javascript as the page loads.

The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.

Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

In addition ot the PoC ‘Calculator’ exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.

In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.

Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion ‘noscript’ can be used to easily allow Javascript for selected sites only.

Looks nasty. Fully patched Windows XP and IE 6 is at risk from this one; turning off javascript is going to break a lot of new sites..

As the man said – make sure you use Firefox or Opera.

Microsoft SUS failures?

It’s another big patch week – and SANS are reporting that Microsoft SUS is having problems:

Microsoft SUS not playing well (NEW)
Published: 2005-11-09,
Last Updated: 2005-11-09 16:45:28 UTC by Tony Carothers (Version: 2(click to highlight changes))

Matthew Bailey just provided this input in regards to the SUS problems that are occuring

“I found this posting at http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.softwareupdatesvcs

The SUS 1.0 update cab is delayed today but will be published at ~ 5:00pm PDT today.

The WSUS cab has no delays and has been published.”

We’ve had a busy last ~12 hours. Reports are coming in that Microsoft’s SUS is not updating correctly, causing a lot of readers to have to manually roll out patches. If anybody has found this to not be the case, or found a way to kick SUS into gear, please send us a note, and I’ll get it out to the rest of the world 🙂

Most enterprises who are relying on SUS/WSUS for deployment of patches are still on SUS (the older technology). This is a pretty important process for enterprises – patching, and the race to patch on time, is causing a lot of IT administrator headaches.

For SUS to fail and administrators to have to manually roll out patches is a disaster; I am sure that after this many CIOs will mandate a close look at other options; maybe this will cause them to switch platforms, or at least look at a more robust patch solution.