Code Posted For New IE Exploit

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

Moo

[Chacham]

Another ActiveX exploit. *yawn*

If you want to be safe in IE, turn off ActiveX from untrusted sites. Hasn't this been known since day one?

News would be if ActiveX was tested and found to be safe.

Re:Moo

[cubicledrone]

Oh noes! Don't criticize teh billywindows! The PC Magazine fanzorz will moderate troll troll troll.

Ah yes. PC Magazine. Where Macs don't exist and "power-hungry" appears in every third headline.

Re:Eh?

[LaughingCoder]

OK, I'll answer the question. About 75% of web users still use IE.

If you are a sys admin, or a web admin, Deal.

"not a 0day exploit"

[wfberg]

The reason it's not a 0day exploit is because some other dude already discovered the vulnerability, but didn't disclose it to the public? And that second guy is sitting on another 3 or 4 vulnerabilities?

I'm sorry, what's the definition of 0day exploit these days? If not exploit code for which there is no patch available, then what?

Can we now use "responsible disclosure" to argue away the fact that actual computer systems are at risk of being exploited right here and now, by saying "yeah, well, you got rooted and all, but we knew about that bug, so it doesn't count, even though we don't have a patch yet."?

Can we now take comments that the programmers left in the code ("// does this work?" "/* coded while druk */" "//BUGBUG") as an excuse to completely ignore actual vulnerabilities?

And hey, if TWO researches come up with this vulnerability seemingly independently, what are the chances of the exploit already circulating in the black hat community? Close to 100%?

By my definition you've got your negative-day and your zero-day exploits. Negative-day exploits; no patch yet. Zero-day; the patch has just been issued, so might as well give your exploit to scriptkiddies and botnet operators to use on the systems that don't patch early/often enough. Obviously, a negative-day exploit usually isn't going to be used on a large scale, because your average blackhatter wants to keep it in his toolkit to attack well-patched systems; after all, it's what gives him (and his leet skillz) an edge. Once patchday arrives, you might as well give it to some noobs, because they might be interested in unpatched targets, while a leet blackhatter is not.

So no, it's not a "stretch" to call it 0day. It's negative day, even.

Re:Firefox 1.5.07?

[Pecisk]

Propably because there is code in the wild for this exploit and bug itself is still unfixed?

Re:Firefox 1.5.07?

[Wylfing]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

OK, smarty, I will explain the difference to you. On one hand we have Firefox, which is a piece of software that is free in both senses, and you can use it, or not use it, or delete from your system, or whatever you want. On the other hand we have Internet Explorer, which is forced upon you via "leveraging," you cannot remove, and you must use because of contrived tie-ins to fundamental system functions.

If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it. Hell, there are plenty of applications and services that will gleefully launch IE of their own accord and start loading internets from God knows where, and there's no way for me to stop it. Because of Microsoft's predatory practices, I have no choice in the matter (except to abandon Windows altogether, which is also not an option -- see how all my choices have been removed?). You're damn right people are a lot more upset when exploits turn up in IE. We are required to suffer the fallout from them.

how to detect an untrusted site ..

[rs232]

"if you want to be safe in IE, turn off ActiveX from untrusted sites"

How do you know what is or is not an untrusted site.

How in any way is that comment "insightful".

Re:how to detect an untrusted site ..

[SLi]

Huh? If you don't have any specific reason to trust it, it's untrusted. I would have thunk that's Internet 101.

Re:Firefox 1.5.07?

[RonnyJ]

That's contrary to what the second line in the summary says, though you've still been modded up despite posting no evidence to back your claim up.

Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild

Re:Yes, this affects IE7 but you are prompted

[Psykechan]

Your link points out that IE7 is vulnerable but it will prompt you to run the ActiveX control before hosing your system. From the average user's point of view, they get a message asking to run something created and signed by Microsoft for the page to load. Tell me how many average users, even the relatively computer saavy, will allow the control to run?

Throwing a constant barrage of OS/browser security pop-ups on the screen does not make it secure. Making it so that at exploitable control can be completely removed and not just "effectively removed" from the system helps make the system more secure but this is just a workaround. If the control was designed to be able to grant system level privileges to a web page than it's time to go back to the proverbial drawing board.

If it wasn't designed that way, then patch it when you first hear about it over a month ago [securityfocus.com] and stop complaining about people releasing it to the public. I would rather have everyone know about it than have just Microsoft, a few security people, and several black hats knowing.