Tweaking IE to prevent further attacks (for now)

[zridling]

IE was allegedly used by hackers emanating from China. I've noticed the Chinese and Russians don't play nice online. Be interesting to see if Google really does walk away.



"Internet Explorer was one of the vectors" used in the attacks that Google disclosed earlier this week, Microsoft said in a statement. "To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6," the statement said. The vulnerability affects Internet Explorer 6, IE 7, and IE 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4, Microsoft said in an advisory on Thursday afternoon.

The hole exists as an invalid pointer reference within IE and it could allow an attacker to take control of a computer if the target were duped into clicking on a link in an e-mail or an instant message that led to a Web site hosting malware, Microsoft said. "It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems," Microsoft said in the statement.

Microsoft is working on a fix but could not say whether it would address the issue as part of its next Patch Tuesday scheduled for February 9 or before. Setting the IE Internet zone security setting to "high" will protect users from the vulnerability by prompting before running ActiveX Controls and Active Scripting, Microsoft said. Customers should also enable Data Execution Prevention (DEP), which helps mitigate online attacks, the company said. DEP is enabled by default in IE 8 but must be manually turned on in earlier versions.

[Stoic Joker]

So all the Email I've been receiving from hot Russian girls wanting to meet me weren't real... 

I'd been wondering what that was all about.

[lanux128]

Firefox + NoScript, nuff said.

[Stoic Joker]

Firefox + NoScript, nuff said.

-lanux128 (January 15, 2010, 08:11 PM)

Firefox has had its share of issues in the past ... everyone gets a turn.

From the article:

if the target were duped into clicking on a link in an e-mail or an instant message that led to a Web site hosting malware.

Once again, this is more of a social engineering exploit, which simply proves that the only really effective form of security is Common Sense (which I parodied earlier).

If been using IE for years to (at times) surf some of the darkest alleys of the web...and never had an issue. ...It's simply a matter of Defensive Driving on the Information Highway.

[f0dder]

Stoic Joker: still, from what I see the exploit only requires you to visit a malicious site, not to manually run any .exe, .pdf, whatever. Hack one banner server and insert the exploit... *b00m*. It's also a bit scary how many versions of IE it affects... 6->8?

[Stoic Joker]

Stoic Joker: still, from what I see the exploit only requires you to visit a malicious site, not to manually run any .exe, .pdf, whatever. Hack one banner server and insert the exploit... *b00m*. It's also a bit scary how many versions of IE it affects... 6->8?

-f0dder (January 16, 2010, 07:25 AM)

Well, new does imply something that was never noticed before. So if it effects v8 there's really no reason it wouldn't be backward compatible with older versions going back to when the flawed feature was originally included.

I didn't miss this comment I'm just interpreting it a bit differently (I suspect):

"It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems," Microsoft said in the statement.

That still implies to me a bit of (click the banner) culpability on the part of the user. Either way IE has many native blocks in place for which problem child plug-ins are allowed to run on a page on a case by case basis. I leave most of the multimedia flashy crap blocked by default (which makes for faster browsing), and enable it only as I deem necessary. (as example) If a site can't be navigated without flash enabled (rare but it happens) ... I assume the sites creator is an idiot and move on.

One of the things that has always annoyed me about reports like this is the succinct lack of detail on what exactly should be turned on, off, or watched for to mitigate the exposure.

[f0dder]

Stoic Joker: well, I guess it's not that strange that it's possible to find an exploit that works across multiple versions; I was thinking that this implied the same exploit code could be used, which would be quite something... but that isn't mentioned anywhere; brainfart on my part.

Anyway, I've read a few blogs here and there about the exploit, and the details are indeed a bit scarce. But from what I understand it's a javascript bug that's being exploited - and while much of the info is badly worded, I believe that you only need to visit a "compromised site", not actually clicking on anything on the site, which makes it pretty dangerous. Especially now the exploit code is in the open, and will be used for drive-by exploits. Yes, us power users have noscript and adblock, but a lot of regular users don't.

Also, various blog entries mention that IE8 sandboxed mode helps mitigate the attack, and DEP (default in IE8, optional and default-disabled in IE7) also help mitigate the problem, but it's not mentioned how much it helps - like, whether sandboxing lets the exploit do it's stuff, but limits which files can be read/written... and whether DEP might let the browser crash, but not run the exploit code. All we get is "mitigates"

[Stoic Joker]

Hm... So we are on the same page. Odd that the OP mentions restricting ActiveX if it's supposed to be a JavaScript bugg. Java irks me on so many levels I reflexively see red every time it screws up (again...).

I've been using DEP religiously since it first appeared because it had (instantly) proven to be effective, uses 0 resources, & is idiot simple to implement (until Java VM marks all its memory as writable and blows the entire concept into the weeds).

I generally tell people if something strange happens while browsing (regardless of where):
Stop, and immediately run a check with MalwareBytes (or preferred equivalent).
do not click OK or cancel (usually both install), close stray windows with Alt+F4, or let the scanner deal with the really pesky ones.
do not (ever) reboot...because most malware depend on that reflexive behavior to set their hooks in the system.

Strangely, malware based support issues dropped by over 60% when I started giving this speech to clients.

[Krishean]

javascript is not the same thing as java
java is made by sun microsystems
javascript is something entirely different

i really dislike it when people lump them together and don't make it clear that they are two different things
(wikipedia even says "Not to be confused with ..." at the top of their pages)

edit: the best thing to secure IE is to disable active scripting and all plugins, however this also has the effect of making a large part of the internet completely unusable (youtube for example)
edit2: a lot of malware is dependant on old versions of (adobe/macromedia) flash/sun java/adobe acrobat. making sure you have the latest versions of those plugins is always a good idea, and disabling javascript in adobe acrobat helps. also you could avoid acrobat entirely and go with foxit reader as i do 

[f0dder]

First, JavaScript != Java - big difference (I'm sure you already know that, and are just being a bit imprecise in your post). AFAIK a whole bunch of exploits have been targetting vulnerable old Java JVM versions (old versions aren't removed when you upgrade to latest, and java applets can specify specific versions to bind against >_<), while this exploit is JavaScript.

Yeah, ActiveX is mentioned as well; dunno if scripting in IE is implemented with ActiveX, if the exploit is mixed JavaScript/ActiveX, or if the exploit is only in JS but uses some ActiveX objects to do further work... too bad the details are so vague.

DEP is nice, yes, but there's still a few apps here and there that have issues with it - I had to turn off systemwide DEP after a while . Guess it made sense not to have it on by default in IE7, were probably too many browser plugins that were crappily written? It does seem to be 0% overhead though, which is a nice thing; and while it's not complete waterproof solution, it does indeed limit the attack vectors shellcode have.

[Stoic Joker]

First, JavaScript != Java - big difference (I'm sure you already know that, and are just being a bit imprecise in your post). AFAIK a whole bunch of exploits have been targetting vulnerable old Java JVM versions (old versions aren't removed when you upgrade to latest, and java applets can specify specific versions to bind against >_<), while this exploit is JavaScript.

-f0dder (January 16, 2010, 02:12 PM)

Right, but Java & JavaScript both = Sun ... Which is who pisses me off. Frankly I'm rather horrified that they purchased MySQL, as I'm afraid they'll screw that up too.

Yeah, ActiveX is mentioned as well; dunno if scripting in IE is implemented with ActiveX, if the exploit is mixed JavaScript/ActiveX, or if the exploit is only in JS but uses some ActiveX objects to do further work... too bad the details are so vague.

My money is on the last one, but that's admittedly due to a general mistrust/dislike of Sun. Details damnit ... we need details.

DEP is nice, yes, but there's still a few apps here and there that have issues with it - I had to turn off systemwide DEP after a while . Guess it made sense not to have it on by default in IE7, were probably too many browser plugins that were crappily written? It does seem to be 0% overhead though, which is a nice thing; and while it's not complete waterproof solution, it does indeed limit the attack vectors shellcode have.

IESpell gave me issues with IE7 & DEP, but fortunately the combo works perfectly in IE8 so I'm a happy guy. I try to avoid dependancy on plugins as I spend too much time on other people's computers... (site work) ...Ya gota know how to work with what's there. But I'm a big fan of the 80/20 rule and DEP fits that to a T.

[Krishean]

sir you are entirely incorrect.

java is made by sun microsystems
javascript has nothing to do with sun microsystems (read the wikipedia article, you will be educated)

sun buying mysql is not what you have to worry about, what you have to worry about is oracle buying sun

edit: (and therefore oracle buying mysql)
edit2: from my experience exploits do like to use a combination of javascript/activex to do the dirty work, disable one and the other part of the exploit dosen't work right

[Stoic Joker]

sir you are entirely incorrect.

-Krishean (January 16, 2010, 04:02 PM)

Yes, you mentioned that earlier ... Thanks for over stressing the point.

java is made by sun microsystems
javascript has nothing to do with sun microsystems (read the wikipedia article, you will be educated)

Then perhaps they should have been more careful when picking a name, or maybe (just maybe) I like lumping the together because they tend to go hand in hand as a gleefully exploitable nuisance. Either way you should watch your tone if you wish your input to be accepted well.

sun buying mysql is not what you have to worry about, what you have to worry about is oracle buying sun

Wasn't aware of that, but I usually have better things to do with my time than keep track of who bought who this week. Oracle hasn't managed to annoy the crap outa me as of yet ... So I see no reason (thus far) to fear their influence. Sun on the other hand, is on my "list".

[f0dder]

JavaScript was initially developed by Netscape, and was named LiveScript then. But because everybody was hype-OD'ing on Java, some schmuck decided it should be renamed, although JavaScript has very little resemblance to Java. The language has later been standardized as ECMAScript, and Microsoft's dialect is called JScript. Iirc flash's ActionScript is also based on ECMAScript.

JavaScript is actually kinda cool, even when seen outside browsers - you can do some pretty funky stuff with it

[Stoic Joker]

JavaScript was initially developed by Netscape, and was named LiveScript then. But because everybody was hype-OD'ing on Java, some schmuck decided it should be renamed, although JavaScript has very little resemblance to Java. The language has later been standardized as ECMAScript, and Microsoft's dialect is called JScript. Iirc flash's ActionScript is also based on ECMAScript.

-f0dder (January 16, 2010, 05:41 PM)

Now that's the kind of honest answer I can appreciate. (but seriously) I've never really had a compelling reason to investigate distinctions between them. And considering (if it walks like a duck...) they both tend to annoy me, they both get stuck on the same shelf.

Most of the Java based programs I've run into have been crude looking, slow, and generally flakey. This includes high dollar vertical market applications that really should have a more polished behavior for the money they cost (not to mention none of these people seem to have the slightest clue how to do version checking properly). The only reason (I can think of) to create a full blown application out of Java would be if one was trying to (Fire-Drill) rush something cross platform to market. I have in the past tried coding in Java, but quickly found C++ to be (much less aggravating) more durable in the long run.

JavaScript is actually kinda cool, even when seen outside browsers - you can do some pretty funky stuff with it

I have used JavaScript for some things on web pages like input validation or data pumping information between frames in a form. but only as a last resort. (being that you said "fun" I'll skip the why, but...) How the hell would you use it outside a browser?

[f0dder]

I've used Java for ~1½ year now, because it's the language my school teaches - not a bad choice, IMHO. I've come to appreciate a lot of things about it (and the Eclipse IDE), but there's also things that annoy me... especially when it comes to GUIs. Haven't found a decent visual GUI building tool, and the Java GUIs indeed to feel somewhat sloppy. Don't think I'm going to deal with Java code for any personal projects, but OTOH I wouldn't mind having to use it at my job. Performance does seem relatively resonable, though - you don't get the speed of native C++ code, but a friend of mine wrote a realtime textured, filtered, colored-lighted 3D engine; pretty much Quake2 visual quality, in the days of Pentium2's.

As for JavaScript, well... haven't dealt much with it, but again: you can do really funky stuff, because pretty much everything is an object - even your functions. If I needed to add scripting support to something (aka outside-a-browser usage ) I'd seriously consider JavaScript; more lightweight than Python, more "normal" than LUA (even though it's powerful because of those "funky features", but you don't HAVE to use those).