New Zero-Day IE Bug Can Give Attackers Control

As first reported by the French research firm FrSIRT, and then picked up by others vulnerability trackers, the bug in IE is due to a memory error caused when the browser instantiates the Msdds.dll object as an ActiveX control. A successful exploit, which would most likely be posted on a malicious Web site, could give the attack gain complete control of the PC without any user interaction.

"Microsoft is investigating new public reports of a possible vulnerability in Internet Explorer," the company confirmed in the advisory, the second in two days. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

The flaw is similar to one of the critical vulnerabilities patched in Microsoft's security bulletin MS05-038 Tuesday, August 9 -- that patch fixed some other object instantiation problems in IE -- but different enough that up-to-date machines are not safe.

Exploit code is already circulating, the SANS Internet Storm Center (ISC) announced Thursday afternoon as it raised its overall threat level to yellow, a color code that represents the discovery of a significant new threat.

"We moved to Yellow as we feel widespread malicious use of this vulnerability is imminent," the ISC said in an alert on its Web site. San Diego, Calif.-based Internet security monitoring company Websense has added detection for the exploit to its scanners, said Dan Hubbard, the company's senior director of security and research. As of mid-day Thursday, however, no malicious Web sites using the exploit had been found.

"We started scanning for the exploit on Wednesday, when FrSIRT announced the vulnerability and posted the code, but we haven't found anything yet," said Hubbard. "That's not unusual. It often takes a day or so for exploits to end up on malicious sites."

Many users may be safe even without a patch, since the Msdds.dll file isn't installed by Windows by default. If it is present, it's likely been added by Visual Studio .Net, although other applications -- including Microsoft Office 2000, 2002, and XP -- may also install the .dll, said the ISC.

While an official patch isn't available from Microsoft -- making this a so-called "zero-day" exploit -- several workarounds can be applied by users or administrators, said the ISC. The kill bit for the ActiveX component could be set, the .dll could be removed (although that, warned the ISC, might break some applications), or users could switch to another browser, like Mozilla's Firefox, which doesn't use ActiveX.

As usual, Microsoft was purposefully obscure about its plans. "Upon completion of this investigation, Microsoft will take the appropriate action. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

The ISC, however, has posted an unofficial "patch," an automated utility that runs a script to set the kill bit for Msdds.dll to prevent the file from being used as an ActiveX control.

"Of course, this will break ActiveX applications which use msdds.dll legitimately," the ISC said in documentation accompanying the utility. "Use at your own risk."

Several security organizations, including Websense, have not been able to successfully exploit the vulnerability with the code FrSIRT posted, but that, said Hubbard, may be because of the version of the .dll being used. "We've only had a chance to test it briefly," he admitted.

Meanwhile, Websense has found a number of malicious Web sites hosting exploit code taking advantage of August's and July's vulnerabilities in Internet Explorer.

Exploits against the object instantiation bug patched last week have popped up on "about a dozen sites," said Hubbard, but the July flaw, another object instantiation vulnerability, is the focus of "more than 200 sites," he added.

"Starting Sunday, proof of concept code for MS05-038 appeared," said Hubbard. "There's been a huge spam campaign to draw users to a fake pharmaceutical site hosted in Sweden. Attackers are running shell code from those sites against unpatched users."

Websense has posted an advisory on the MS05-038 exploit that goes into more detail.