MSFT IE vulnerability?

[RobbL]

I saw this in the news today -- anyone know what's going on here??

"Microsoft Corp. has taken the rare step of warning about a serious computer
security vulnerability it hasn't fixed yet. The vulnerability disclosed
Monday affects Internet Explorer users whose computers run the Windows XP or
Windows Server 2003 operating software."

Microsoft support page: http://tinyurl.com/kwh8ls

 

[VanguardLH]

I saw this in the news today -- anyone know what's going on here??

"Microsoft Corp. has taken the rare step of warning about a serious computer
security vulnerability it hasn't fixed yet. The vulnerability disclosed
Monday affects Internet Explorer users whose computers run the Windows XP or
Windows Server 2003 operating software."

Microsoft support page: http://tinyurl.com/kwh8ls

where a link leads to:

http://www.microsoft.com/technet/security/advisory/972890.mspx

They have their workaround (to add killbits for the AX control). Since
the vulnerability has to do with remote code execution, perhaps a better
long-term solution is to NOT log under an admin-level Windows account
when web surfing, or run the web browser under a LUA (limited user
account) token, like using DropMyRights, SysInternals psexec (with the
-l parameter), or a security program that forces the web browser to run
under a LUA token (like OnlineArmor).

 

[Randy Knobloch]

I saw this in the news today -- anyone know what's going on here??

"Microsoft Corp. has taken the rare step of warning about a serious computer
security vulnerability it hasn't fixed yet. The vulnerability disclosed
Monday affects Internet Explorer users whose computers run the Windows XP or
Windows Server 2003 operating software."

Microsoft support page: http://tinyurl.com/kwh8ls

The KB is a "workaround", Rob until MS releases a full patch for this 0-day exploit.

The KB >
<http://support.microsoft.com/kb/971778>

Chatter @ Sans Handler's Diary > *Developing*
<http://isc.sans.org/diary.html?n&storyid=6739>

The MSRC Blog archive entry >
<http://blogs.technet.com/msrc/archive/2009/07/06/microsoft-security-advisory-972890-released.aspx>

Chatter @ DSL Reports >
<http://www.dslreports.com/forum/r22660114-Critical-0day-Microsoft-DirectShow-Vulnerability-exploited>

Regards,

 

[robinb]

are you all applying the fixit fix in xp machines?
robin

 

[Randy Knobloch]

are you all applying the fixit fix in xp machines?

Yes.

Create a Restore Point first, the installer does but the Fit It doesn't or so I'm told.

Can't have the absolutes absolutely all the time.

 

[robinb]

what will happen when microsoft creates a security patch to those who used
this fixit?
will it override it or what?
robin

 

[gene]

what will happen when microsoft creates a security patch to those who used
this fixit?
will it override it or what?
robin

Since there's a disable for the fix, so I assume that will be adjusted
in the patch, as needed.

Gene

 

[Randy Knobloch]

Since there's a disable for the fix, so I assume that will be adjusted
in the patch, as needed.

I couldn't have said it better myself, <wink>

 

[VanguardLH]

are you all applying the fixit fix in xp machines?

Why? As the manual workaround states, that "fix" just adds killbits in
the registry. The 2nd sentence (of the related article to which I
provided a link) says:

An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user.

Since the vulnerability is remote code execution through an AX control,
always run the web browser under a LUA token (to remove all the admin
privileges) if you're not already logging under a limited account.
After all, when they fix their AX control, their new patch will remove
all those killbits, anyway, so the control can be used thereafter.
Perhaps using an LUA token isn't quite as absolute a security measure as
disabling the AX control but then the vulnerability depends on receiving
malicious content from a web site, so a LUA token and visiting only
well-known trusted sites (that don't get 3rd party content from random
sources) is probably more than sufficient. Just because a vulnerability
is found doesn't mean there are current or near-future exploits for it.

I'm wondering what videos will no longer play in the web browser when
this vaguely described "Microsoft Video ActiveX Control" is disabled
with killbits.

 

[RobbL]

I did, Robin, and it did create a restore point for my machines w/ XP Pro
SP3.

 

[someone]

I read that this does not affect IE8.

I did, Robin, and it did create a restore point for my machines w/ XP Pro
SP3.

 

[Randy Knobloch]

"Compromised Sites Leading To Microsoft DirectShow Zero Day"
<http://securitylabs.websense.com/content/Alerts/3432.aspx>
This doesn't disclose much other than what IE component is targeted and that it is basically
in the wild although the MS "Fix It" Patch fixes the compromised CLSID's.

 

[robinb]

what if you do not use ie and use firefox?
robin

 

[robinb]

where did you read that it doesn't effect ie8 because that is what I have on
my computers and a lot of my clients?

 

[Randy Knobloch]

I don't like FF and it's not an issue with the Browser.

 

[Pat Willener]

It affects only Windows XP and Window Server 2003.

 

[robinb]

just because you do not like Ff doesn't mean it is not a good browser
but you are right , after I read all the info about it,it effects the OS
regardless of what browser you run
I am just wondering if I apply this fix to all my clients computers and my
own when microsoft installs a patch will it override this fix or what? I
really do not want to go back on these computers and do a unfix
robin

 

[robinb]

here is a good description of the vulnerability

http://blogs.computerworld.com/node/14323/print
robin

 

[Bill Sanderson]

I will, and, in addition, to all machines, period--windows 7, vista, etc.
The vulnerability does not apply in some cases, but this control has no
known use in IE in any version of windows, so setting the killbit for it
will have no know ill effect, and will not need to be reversed once a patch
is available for the underlying vulnerability.

 

[robinb]

I put it on 35 xp computers today that I maintain and sent out a mass email
to all my clients to put the fix on
I have not put it on vista because everyplace I read vista and windows 7 are
not vulnerable
robin