Educause Security Discussion mailing list archives
Re: 0-day exploit for Internet Explorer in the wild
From: Gregory N Pendergast/AC/VCU <gnpendergast () VCU EDU>
Date: Thu, 11 Dec 2008 09:42:59 -0500
Internet Storm Center is now indicating that Server 2008 and Vista (including SP1) are affected, and that use of the exploit is becoming more wide spread. http://isc.sans.org/diary.html?storyid=5458 Microsoft has also weighed in now: http://www.microsoft.com/technet/security/advisory/961051.mspx As for my statement about "realistic" mitigations, that was unintentionally myopic on my part. I have no way to deploy the potential mitigations you described, and doing so in a way that would not cause a general uprising would be time-prohibitive. In regard to DEP specifically, enabling that is known to break some legitimate plug-ins, which is why Microsoft turns it off by default. Greg Pendergast Information Security Analyst Virginia Commonwealth University Curt Wilson <curtw () SIU EDU> Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 12/10/2008 04:45 PM Please respond to The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject Re: [SECURITY] 0-day exploit for Internet Explorer in the wild Gregory N Pendergast/AC/VCU wrote:
BreakingPoint Labs has a good analysis of the exploit:
http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays
Unfortunately, I haven't yet seen any mention of realistic mitigations. Greg Pendergast Information Security Analyst Virginia Commonwealth University
What does 'realistic' mean in this context? I have not personally tested, however the article mentions manually enabling DEP for platforms where DEP is opt-in. In the limited attack I know of so far from the .cn sites, I'm guessing that if the end-stage binary is not constantly changing or packed with a difficult to handle packer, AV coverage might be present although again I have not tested. Of course, that's an after-the-fact and not what you specifically asked about. There was a presentation at 2008 BlackHat Las Vegas I believe on stopping heap spraying attacks, but I'm not sure of the practical details or implementation. As far as I can tell, the old standby of "disabling active scripting" should work. On campus, I recommend people tweak the security zones in IE, use trusted sites (with active scripting) only when necessary for internal and/or trusted hosts, disable active scripting elsewhere in IE, and use another browser for generic web surfing. (firefox + NoScript for instance). Probably not "realistic" though except for the people that care enough already. I am assuming that Vista is not specifically at risk, but I don't know for a fact. Anyone else know? Thanks -- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- 0-day exploit for Internet Explorer in the wild Sabo, Eric (Dec 10)
- <Possible follow-ups>
- Re: 0-day exploit for Internet Explorer in the wild Eva (Dec 10)
- Re: 0-day exploit for Internet Explorer in the wild Eva (Dec 10)
- Re: 0-day exploit for Internet Explorer in the wild Gregory N Pendergast/AC/VCU (Dec 10)
- Re: 0-day exploit for Internet Explorer in the wild Curt Wilson (Dec 10)
- Re: 0-day exploit for Internet Explorer in the wild Ken Connelly (Dec 10)
- Re: 0-day exploit for Internet Explorer in the wild Chuck Braden (Dec 10)
- Re: 0-day exploit for Internet Explorer in the wild Gregory N Pendergast/AC/VCU (Dec 11)