New Microsoft Internet Explorer Vulnerability Risk - Medium OCSCIC - 10-02-2003
DATE ISSUED: 10/2/03
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER ADVISORY
SUBJECT: Zero-Day exploit for Internet Explorer vulnerability being used to install Trojan.
OVERVIEW:
Several sources report that exploits are available for a new vulnerability in Microsoft Internet Explorer (IE) which allows attackers to run malicious code on vulnerable systems. The Qhosts Trojan is actively exploiting one of these vulnerabilities to hijack browser sessions by reconfiguring the DNS configuration on infected systems.
Note that Microsoft has not yet issued a patch for this vulnerability.
In addition, one New York State agency has identified a minor Qhosts Trojan infection.
RISK:
| Government: | |
| - Large and medium government entities: | Medium |
| - Small government entities: | Medium |
| Businesses: | |
| - Large and small businesses: | Medium |
| - Small businesses: | Medium |
| Home users: | Medium |
SYSTEMS AFFECTED:
Systems running Microsoft Internet Explorer 5.01, 5.5, 6.0.
DESCRIPTION:
By not properly determining the object types returned by a web server, vulnerable versions of IE can allow a remote attacker to execute arbitrary code on the victim box by making use of the HTML object tag which is used to embed ActiveX into HTML pages. The parameter in the object tag which describes the remote location of the data for objects is not checked for validity allowing Trojan executables to be run from within the web page without the user knowing anything is happening.
The Qhosts Trojan is one example of how this vulnerability is being exploited. Qhosts changes the Windows registry and HOSTS file to redirect DNS queries to an external host that is, presumably, controlled by a malicious person who can, in turn, redirect infected systems to other web sites.
CERT also sites other examples where the vulnerability is being exploited to install denial of service tools or to change dialer programs to make expensive phone calls.
RECOMMENDATIONS:
1) Applying the patch indicated by Microsoft Security Bulletin MS03-032 will correct one way to exploit this vulnerability but there are other variations that are not corrected. Once a new patch is issued by Microsoft it should be applied as soon as possible.
2) Until a patch is available, you can try to mitigate the vulnerability by changing the "Run ActiveX controls and plug-ins" in the Internet Zone to either "disable" or "prompt" however both CERT and a posting on Bugtraq indicate this may not mitigate the problem since in some cases the malicious code may not be detected as ActiveX content. Also note that disabling ActiveX may cause problems when accessing existing applications in the Internet Zone.
3) Keep your anti-virus software updated. AV vendors have posted updates to detect Qhosts but that is not the only exploit available.
4) CERT has some additional actions for system administrators that should be evaluated carefully by each organization since they may cause problems with existing business applications.
REFERENCES:
CERT:
http://www.cert.org/incident_notes/IN-2003-04.html
BugTraq:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&F=P&S=&P=2169
McAfee:
http://vil.nai.com/vil/content/v_100719.htm
Symantec:
http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci930187,00.html
Microsoft
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp
Neophasis
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0084.html
SecurityFocus
http://www.securityfocus.com/bid/8456/info/
http://www.securityfocus.com/advisories/5725
NYS Cyber Security and Critical Infrastructure Coordination
Floor P2
30 South Pearl Street
Albany, NY 12207
phone: 518-474-0865
|
