Thursday 19 September 2013

Microsoft Zero-Day IE flaw with a complex fix

I would have normally waited until my monthly Patch Tuesday update to discuss Microsoft security vulnerabilities and updates. However, when I read about the latest Microsoft Zer-day exploit and security flaw and then saw that the BBC thought it was sufficiently important to report on, well I had to post something.

The Remote Code Execution vulnerability exploited in this attack effects all versions of Internet Explorer (both 32 and 64-bit) bar the latest version (11). The CVE description for this issue incudes;
"Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll."
This means that a specially crafted web page that includes some nasty JavaScript code could allow an attacker to execute code on the users machines. This code could include spyware (watches your keystrokes), malware (leaves a trojan behind) and could directly affect (copy/delete) files and data on the affected machine.

There is already fix posted by the TechNet and IE Team, which you can read about  in the IE TechNet blog located here: http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

This attack is a little annoying (besides the potential damage it cold allow) as I thought that IE employed security tactics to prevent these kind of attacks. Reading the IE blog posting, the vulnerability is described as;
The purpose of this DLL in the context of this exploit is to bypass ASLR by providing executable code at known addresses in memory, so that a hardcoded ROP (Return Oriented Programming) chain can be used to mark the pages containing shellcode (in the form of Javascript strings) as executable.
ASLR is a programming and security technique designed to prevent these kinds of attacks by effectively randomly assinging addresses to memory locations. This is very much like removing door-numbers from within an office building - it makes finding anything or anyone very difficult.

It looks like the primary components of IE use ASLR and thus benefit from its protection. However, it looks like the sub-components used by IE did not - and, therefore allowing a way in for attackers.

Sort of like, having super secure and vetted full-time employees and then using 3rd-party contractors with similar security access and privileges.

I wonder if Microsoft will call these types of dependency attacks the "Snowden Way In".




References:

ASLR
http://en.wikipedia.org/wiki/Address_space_layout_randomization

http://technet.microsoft.com/en-us/security/advisory/2887505

CVE Vulnerability Entry CVE 2013-3893
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893

No comments: