Tag Archives: 0day

IE6 – IE11 0 Day Vulnerability [April/May 2014]

Context:

As some of you have no doubt seen, there is a new 0 Day vulnerability in IE6 – IE11 that allows one to bypass some of Window’s primary security mechanisms of ASLR & DEP.  Specifically, the way IE (mis)handles Adobe Flash allowed this issue to happen.  There currently is no patch from Microsoft, but I do expect one within the next couple days.

The initial exploitation of this vulnerability was targeted to IE9 – IE11 and a specific set of users that an APT group was targeting, but we are now seeing more generalized/non-targeted attacks.

There are a few reasons that this is a significant vulnerability, other than the fact that it is a 0 Day…

-According to Microsoft’s current policy of end of life applications, this vulnerability will not be patched on Windows XP—This means that no matter what version of IE you are running on XP (IE6 – IE8), it will always be vulnerable to this exploit unless extra action is taken (see mitigation options below)

-This vulnerability affects such a wide set of IE versions—In 2013, these versions of IE made up 53% of the desktop browser market share [src]

General Mitigation Options:

The following are the top 5 ways to mitigate this exploit—

Disable/Remove Adobe Flash:  Because this vulnerability is really a vulnerability between Flash & IE, disabling or removing Flash will remove the vulnerability.

Enable IE’s “Enhanced Protected Mode” :  EPM was introduced in IE10 as an enhancement to previous versions of IE’s “Protected Mode.”  EPM can have some unintended compatibility issues with other applications/web-apps, so make sure to test before rolling out.

Use the Enhanced Mitigation Experience Toolkit: [SRC] I have discussed EMET quite a bit in the last year, but if you are not aware of what it is, Brian Krebs has a good primer on it. [SRC]

Use a different browser: Because this is a vulnerability in IE’s handling of corrupted flash files, switching to a different browser will mitigate the issue—keep in mind that other installed apps (Microsoft Office, etc) may use the IE engine to render HTML and Flash files, which would bring the particular computer back into the scope of this vulnerability.

-Josh

 

Tagged , ,

HBGary, Juicy Fruit, & 0-Day

If you have not been following the HBGary & Anonymous story, Ars Technica has a couple great writeups on it.

In the aftermath of this whole saga, Anonymous has made public ~72,000 emails from top HBGary leaders (Founder, CEO, etc), including Greg Hoglund, of rootkit.com & “Rootkits: Subverting the Windows Kernel” fame.

Using the emails as a source, Ars Technica did a great review of some of the more interesting emails, including a couple discussing “Juicy Fruit.”  From Ars Technica:

“HBGary kept a stockpile of 0-day exploits. A slide from one of the company’s internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.

The company had exploits “on the shelf” for Windows 2000, Flash, Java, and more….

One of the unpublished Windows 2000 exploits, for instance, can deliver a “payload” of any size onto the target machine using a heap exploit. “The payload has virtually no restrictions” on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, “the highest user-mode operating system defined level” available.”

Though this is all interesting, the pertinent detail I wanted to point out can be found in one of the emails, found here.  As you can see, one of the 0-days is ESX & ESXi.  The email is dated Dec 6, 2009, so just over a year ago.

Though we do not know what kind of access would have been able to gained, (“Even with unique access to the innermost workings of a security firm, much remains opaque; the real conversations took place face-to-face or on secure phone lines, not through e-mail, so the glimpses we have here are fragmentary at best. This care taken to avoid sending sensitive information via unencrypted e-mail stands in stark contrast with the careless approach to security that enabled the hacks in the first place.”), we can see from other emails that we are not talking about some kind of script kiddie-level exploit.

The salient point that I want to hammer home is thus:  HBGary is a small private sector security company that did some contracting work for the industrial defense space–If HBGary has access to these types of 0-days, it is not hard to imagine what state-sponsored attackers might have access to–Both homeland and overseas.

Are we ready?

 

-Josh


 



Tagged , ,