Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: 0-day exploit for Internet Explorer in the wild
From: Gregory N Pendergast/AC/VCU <gnpendergast () VCU EDU>
Date: Thu, 11 Dec 2008 09:42:59 -0500

Internet Storm Center is now indicating that Server 2008 and Vista
(including SP1) are affected, and that use of the exploit is becoming more
wide spread.
http://isc.sans.org/diary.html?storyid=5458

Microsoft has also weighed in now:
http://www.microsoft.com/technet/security/advisory/961051.mspx

As for my statement about "realistic" mitigations, that was
unintentionally myopic on my part. I have no way to deploy the potential
mitigations you described, and doing so in a way that would not cause a
general uprising would be time-prohibitive. In regard to DEP specifically,
enabling that is known to break some legitimate plug-ins, which is why
Microsoft turns it off by default.


Greg Pendergast
Information Security Analyst
Virginia Commonwealth University




Curt Wilson <curtw () SIU EDU>
Sent by: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
12/10/2008 04:45 PM
Please respond to
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] 0-day exploit for Internet Explorer in the wild






Gregory N Pendergast/AC/VCU wrote:
BreakingPoint Labs has a good analysis of the exploit:

http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays


Unfortunately, I haven't yet seen any mention of realistic mitigations.

Greg Pendergast
Information Security Analyst
Virginia Commonwealth University


What does 'realistic' mean in this context?

I have not personally tested, however the article mentions manually
enabling DEP for platforms where DEP is opt-in. In the limited attack I
know of so far from the .cn sites, I'm guessing that if the end-stage
binary is not constantly changing or packed with a difficult to handle
packer, AV coverage might be present although again I have not tested.
Of course, that's an after-the-fact and not what you specifically asked
about.

There was a presentation at 2008 BlackHat Las Vegas I believe on
stopping heap spraying attacks, but I'm not sure of the practical
details or implementation.

As far as I can tell, the old standby of "disabling active scripting"
should work. On campus, I recommend people tweak the security zones in
IE, use trusted sites (with active scripting) only when necessary for
internal and/or trusted hosts, disable active scripting elsewhere in IE,
and use another browser for generic web surfing. (firefox + NoScript for
instance). Probably not "realistic" though except for the people that
care enough already.

I am assuming that Vista is not specifically at risk, but I don't know
for a fact. Anyone else know?

Thanks

--
Curt Wilson
SIUC IT Security Officer & Security Engineer


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]