Two Unofficial IE Patches Block Attacks 233
Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."
Re:How do they even write these patches??? (Score:5, Informative)
Once I had the name of faulty function, I disassembled it using IDA Pro and found the bug by reading the disassembly. With enough reverse engineering experience reading disassembled code is not much harder than reading C source code. It just takes longer.
The IE vulnerability is caused by a funcion called with incorrect parameters which returns SUCCESS instead of an error code. The caller belives that the function suceeded and tries to use an uninitialized variable. The patch is a single byte change in mshtml.dll. The patched function now returns a valid error code and the vulnerability is stopped.
This free patch is just a demonstration of what we do every month as part of our LiveShield product. It is a lot more advanced, but the idea is similar. We use the vulnerability analysis techniques described above to create "shields" that detect and stop specific Microsoft vulnerabilities. The coolest part is that the shields can be inserted and removed at runtime, without having to reboot any of the running applications.
Alexander Sotirov
Security Research
Determina Inc.
Re:How do they even write these patches??? (Score:5, Informative)
from the article
Re:But later (Score:1, Informative)
Alexander Sotirov
Security Research
Determina Inc.
Tested and deployed (Score:3, Informative)
While it's clearly not the best solution, it does work and provides a much needed layer for the vast majority of corporations who simply cannot and will not disable active script.
Applying Patches Is Not Free (Score:5, Informative)
Re:Other patches: (Score:5, Informative)
Not entirely true. You can review the code for darwin, and you can review the code for WebKit.
The only thing you can't review is the UI drawing code in AppKit/Quartz/Cocoa etc.
Assembler and debugging references (Score:3, Informative)
I would be surprised if Alexander used the Visual Studio debugger; more likely he used SoftICE or one of the Windows debuggers (NTSD/CDB/KD/WinDbg). SoftICE is a commercial product sold by Compuware and provides both user-mode and kernel-mode debugging. A version of the NTSD debugger comes with Windows, but is less useful than the one that comes with Debugging Tools for Windows [microsoft.com]. NTSD and CDB provide user-mode debugging, the only difference between the applications being that NTSD opens a new console window and CDB does not. KD is the kernel debugger. WinDbg provides the same functionality as NTSD/CDB/KD but with a (spartan) Windows interface.
Re:opensource? (Score:2, Informative)
Re:Applying Patches Is Not Free (Score:1, Informative)
It's stupid, but that's how it seems to work. I'd say that it doesn't work, because security organizations end up spending a lot of extra hours attempting to mitigate the risks. (AV/IDS/Reg hacks/etc..).
For this exploit, I've deployed an IDS signature in IPS mode (drops the exploit packet) for all non-SSL traffic in my company, and rely on content filtering and anti-virus to do the rest. After all this testing and effort on the side of security, and we still have a risk.