Microsoft Security Advisory (917077)

Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution

Published: March 23, 2006 | Updated: March 24, 2006

Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code and are aware of limited attacks that try to use the reported vulnerabilities In addition, Microsoft has been actively monitoring attempts to exploit this vulnerability and working with industry partners and law enforcement to remove the malicious Web sites using the vulnerability.

Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site or open an attachment that exploits the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources.

Suggested Actions

Workarounds

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.

2. Click the Security tab.

3. Click Internet, and then click Custom Level.

4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.

5. Click Local intranet, and then click Custom Level.

6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.

7. Click OK two times to return to Internet Explorer.

Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.

Set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones.

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.

2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of Workaround: There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.

Restrict Web sites to only your trusted Web sites.

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5. Repeat these steps for each site that you want to add to the zone.

6. Click OK two times to accept the changes and return to Internet Explorer.

Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and “*.update.microsoft.com” (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Source: http://www.microsoft.com/technet/security/advisory/917077.mspx

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.

[This message was edited by Wiz Feinberg on 28 March 2006 at 06:13 PM.]

Updated: Microsoft confirms a wave of drive-by downloads targeting a zero-day browser vulnerability and says Internet Explorer users can expect a patch on April 11, if not sooner.

Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsoft's Internet Explorer browser.

The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour.

eWEEK has seen a list of more than 20 unique domains and 100 unique URLs hosting the exploits, which are dropping a variant of SDbot, a virulent family of backdoors that give hackers complete ownership of infected computers.

SDbot allows attackers to control victims' computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.

The eEye patch ships with a startup item that checks to see if an official patch has been installed from Windows Update, and uninstalls the temporary patch if this has been done. Note that the patch is only for people who feel that they cannot afford to disable active scripting (Javascript), because of the interaction they will lose on all websites.

In order to install this temporary patch you must have administrator level privileges, or use the RunAs command on the setup file.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.

[This message was edited by Wiz Feinberg on 27 March 2006 at 08:40 PM.]

Here is a quote from the Security Advisory update I just received:

quote:

---

Microsoft has been carefully monitoring the attempted exploitation of the vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope at this time.

The intentional use of exploit code, in any form, to cause damage to computer users is a criminal offense. Accordingly, Microsoft continues to assist law enforcement with its investigation of the attacks in this case. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.

Microsoft is completing development of a cumulative security update for Internet Explorer that addresses the recent “createTextRange” vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the April security updates on April 11, 2006, or sooner as warranted.

---

Good luck y'all. Read the previous (revised) posts to learn how to protect your computer if you browse the 'net with Internet Explorer. Or, do what I did and switch to browsing with Firefox only, and restrict IE to fetching Windows and Office updates.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.

[This message was edited by Wiz Feinberg on 28 March 2006 at 03:44 PM.]

More...

Microsoft has confirmed it plans to release a fix for a serious security bug in Internet Explorer next Tuesday (11 April). The fix for
the "CreateTextRange" vulnerability - which has become the subject of hacker exploits over recent days - will be released as a cumulative update to Internet Explorer along with four other security bulletins.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices