Some media sources are quoting it as a ‘new bug‘ – which it isn’t, according to other sources it has been known about for at least 2 years and one paper has traced it back as far as 2002 (PDF file).

Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users’ data and Web-based accounts.

The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list. Evans also published a demonstration that showed how the flaw in IE8 could be used to commandeer a user’s Twitter account and send unauthorized tweets.

The vulnerability, known as a “CSS cross-origin theft” bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month. Even so, the flaw received little attention until Evans blogged about it in December 2009. He had submitted a bug report for Chrome eight months earlier.

Microsoft did Tweet about looking into something but haven’t named it although coincidentally it was just a few hours after the public disclosure of this flaw. A point of contention is that this bug has been known about for a long time and has been patched by all the other major browsers including Chrome and Firefox.

Another interesting point is that Chris Evans is actually a Google engineer. Earlier this year Tavis Ormandy went public with a serious flaw in Windows once again stating Microsoft was unwilling to address it.

Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.

IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.

On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. “I have been unsuccessful in persuading the vendor to issue a fix,” he said of Microsoft.

Microsoft issued a statement Friday saying it was investigating Evans’ reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.

“We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.

In the case of Tavis Ormandy it was the Windows Help Vulnerability Exploited In The Wild, I expect with this vulnerability going public and with an accompanying proof of concept we may well see this CSS attack in the wild too.

IF you are interested you can see the PoC for the bug here:

http://scary.beasts.org/misc/twitter.html

Source: Network World

Ah Microsoft is treating this one seriously after France and Germany advised users to avoid IE.

The current strain being exploited only targets IE6 users, but one security company has developed an exploit for IE8 which also bypasses DEP (Data Execution Prevention).

It was rumoured this was the exploit used last week to compromise Google and various other high profile networks. Although I am skeptical as to why anyone was using IE inside Google? Perhaps doing cross browser testing for development, who knows.

Microsoft will release an out-of-band patch Jan. 21 to fix the Internet Explorer vulnerability at the center of recent attacks on Google and other enterprises.

According to Microsoft, the patch is slated to be ready around 1 p.m. EST. If all goes according to plan, the patch will close a hole that has prompted France and Germany to advise users to avoid IE and the U.S. State Department to demand answers from China. Attackers have used the vulnerability to hit IE 6. Microsoft so far has said it has only seen limited, targeted attacks using the vulnerability.

Meanwhile, security researchers have continued to uncover information about the origin of the attack. Joe Stewart, director of malware research for SecureWorks’ Counter Threat Unit, said his analysis of the code for the main Trojan involved in the attacks shows a more direct link to China.

It’s very rare for them to push an out-of-band patch for anything but I guess there are still a LOT of IE users out there and this is a serious flaw.

It does seem to originate from China with the only discussions about the technical parts of the flaw and implementation being discussed on Chinese language sites.

As can be seen by a Google search here (“crc_ta[16]“), after the first few English news sites reporting the flaw the rest of the results are in Chinese.

According to Stewart, the code includes a CRC (cyclic redundancy check) algorithm implementation released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers.

“This CRC -16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, ‘crc_ta[16],’” Stewart noted in a SecureWorks blog post Jan. 20. “At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese.”

Up until this finding, Stewart told eWEEK, the factors leading people to point to China were patterns similar to previous Chinese malware.

“Unfortunately, when investigating malware, nothing is conclusive because digital evidence can be forged,” he said. “However, I believe the use of the Chinese algorithm certainly gives more credence to the attack code being Chinese in origin.”

They really have no choice but to release this patch when faced with government pressure, you should see it hitting your Windows Update sometime today (Jan 21st).

Let’s hope this patch has been tested properly and doesn’t subject users to another black screen of death.

It’s good to see some proactive initiatives by Microsoft, I hope they continue through 2010.

Source: eWeek

I’m sure you’ve heard about the Microsoft IE7 Exploit that allows Remote Code Execution on XP & Vista, it turns out it’s actually much worse than first expected.

The exploit also affects IE5.01, IE6 and IE8 on all OS versions! That’s a pretty worrying turn of events for MS especially as they are seemingly leaving it unpatched.

You can find a clarification of the various workarounds for the IE flaw on Technet here.

Researchers are warning that the unpatched security vulnerability in Microsoft’s Internet Explorer affects more versions of the browser than previously thought, and that steps users must take to prevent exploitation are harder than first published.

According to an updated advisory from Redmond, the bug that’s been actively exploited since Tuesday bites versions 5.01, 6, and 8 of the browser, which is by far the most widely used on the web. A previous warning from Microsoft only said that IE 7 was susceptible to the attacks. IE is susceptible when running on all supported versions of the Windows operating systems, Microsoft also says.

What’s more, while there is some protection from Vista’s User Account Control, the measure doesn’t altogether prevent the attack, according to this post on the Spyware Sucks blog. Microsoft and others have suggested that those who must use IE in the next few weeks set the security level to high for the internet security zone or disable active scripting. These are sensible measures, but they don’t guarantee you won’t be pwned, according to this post from the Secunia blog.

Once again Firefox users for the win, this is a flaw in the whole family of Internet Explorer and must effect a shocking amount of users. I guess setting your Security Zone to high and disabling Active Scripting helps but then it also disables a lot of features on a lot of sites.

So you are losing out on the user experience of the web just to be more secure, mostly because Microsoft doesn’t want to release an ad-hoc patch.

Well Google Chrome final version is out now too, so there’s another option for people.

Secunia goes on to revise what it says is the cause of the vulnerability. Contrary to earlier reports that pinned the blame on the way IE handles certain types of data that use the extensible markup language, or XML, format, the true cause is faulty data binding, meaning exploit code need not use XML.

Microsoft has yet to say whether it plans to issue a fix ahead of next month’s scheduled release. For the moment, the volume of in-the-wild attacks remains relatively modest and limited mostly to sites based in China. But because attackers are injecting exploits into legitimate sites that have been compromised, we continue to recommend that users steer clear of IE until the hole has been closed.

Plenty of other researchers have weighed in with additional details about the flaw. Links from SANS, Sophos and Hackademix.

I think an imminent danger is if people start using iframe vulnerabilies and XSS to inject this exploit into some more prominent sites – that could cause a huge spread of infections!

Anyway just let people using IE know that this is another reason they shouldn’t be using it! Show them how to download and install Firefox and please teach them to use Tabs!

Source: The Register

It seems a new, fairly serious flaw has been discovered in Internet Explorer 7 – and as accounts go it’s been around for a couple of months in the underground.

The worrying part is, patch Tuesday was yesterday and after testing it’s been discovered that this flaw WAS NOT patched in the updates.

ISC reports that it’s not currently widely used, but it has been found in the wild.

Microsoft said it is investigating reports that a new exploit is going around that takes advantage of an unpatched security hole in Internet Explorer 7.

The SANS Internet Storm Center, which tracks hacking trends, said today that while the exploit does not appear to be widely in use at the moment, that situation is likely to change soon, since instructions showing criminals how to take advantage of this flaw have been posted online.

SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox or Opera. This appears to be the type of vulnerability that could be used to give attackers complete control over an affected system merely by convincing users to browse to a specially-crafted hacked or malicious Web site.

It seems the safest thing is not to use IE, which I personally have been doing since about 1998 anyway. But still, some people claim they have problems with Java or JavaScript or AJAX enabled sites with Firefox.

There’s always Opera, or even the new Google Chrome.

This exploit is a serious one as someone only needs to visit the site and remote code can be injected into their OS and executed.

According to SANS, the exploit works against fully-patched Windows XP and Windows 2003 systems with Internet Explorer 7.

In a statement e-mailed to Security Fix, Microsoft said once it is done with its investigation, the company “will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”

Once again it’s demonstrated how stupid ‘Patch Tuesday’ is and how half of the people on the Internet are going to be vulnerable to this serious flaw until the first Tuesday in January.

I really hope Microsoft pushes out an emergency patch outside their schedule ASAP.

You can find a list of the sites known to be distributing the code on Shadowserver here.

Source: Security Fix