Tuesday, March 30, 2010

Microsoft Releases "Out of Band" IE Update

Microsoft has released a new patch for Internet Explorer, and no, your calendar isn't off, this is NOT the Second Tuesday of the month. According to the Microsoft Security Advisory, updated today, the reason for the out-of-band release was that the vulnerability described in CVE-2010-0806, "Uninitilized Memory Corruption Vulnerability", was being widely seen in the wild.

Interestingly, Microsoft thanks Chinese security company "VenusTech" for providing them notice of that exploit.

Absolutely. On March 10th the exploit was added to the MetaSploit framework, and instructions on how to use the exploit immediately hopped on many hacker boards. We saw it first on the replacement for Milw0rm, XpltDB: Exploit-DB.com.

Here is just a sampling of some of the places its being openly discussed:

hackua.com - the Ukrainian hacking forum, had a post on March 14, 2010 by "Dementor" explaining the use of the exploit, which quoted the HD Moore version, including the comments about the exploit being observed in the wild by Red-Sec, who observed the exploit on the website www.topix21century.com

0day.net in Guizhou province, China, had the Chinese language version of the discussion beginning on March 12th, posted by the owner of the forum, asphack. He provided a .rar file of the exploit from his website, asphack.com.

exploit.in, which despite the India country code is a Russian language website carrying banner ads for various Russian-language cybercrime sites, such as "InstallsMarket", "SecretsLine VPN", and "EvaPharmacy". As an example of those, InstallsMarket will install your malware on 1,000 US-based bots for $100. Interesting place to be discussing IE vulnerabilities, no?

Korea's SecurityPlus also was sharing details, and the exploit.

Several Chinese hacker sites linked back to: BBS.pediy.com. Their very active "Software Debugging Forum" had several members contributing suggested improvements to the shell code. 45 replies to the thread so far, but the thread has been read almost 5,000 times!

The Microsoft Bulletin is here:


Some of the issues addressed include:

CVE-2010-0267 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0488 - Post Encoding Information Disclosure Vulnerability
CVE-2010-0489 - Race Condition Memory Corruption Vulnerability
CVE-2010-0490 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0491 - HTML Object Memory Corruption Vulnerability
CVE-2010-0492 - HTML Object Memory Corruption Vulnerability
CVE-2010-0494 - HTML Element Cross-Domain Vulnerability
CVE-2010-0805 - Memory Corruption Vulnerability
CVE-2010-0806 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0807 - HTML Rendering Memory Corruption Vulnerability

Yeah, I think we ought to install that patch!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.