21 January 2010, 12:11

Patch for IE hole to be released today

IE Logo Microsoft has announced that the security update for Internet Explorer is to be released this evening (Thursday). According to first reports, exploits have now appeared on publicly accessible web servers which use the hole to infect visitors' computers with malware. Previous reports only mentioned targeted attacks on users in companies such as Google, Adobe and others. However, the current public exploit is only functional on computers that run Internet Explorer 6 and Windows XP.

In its "Security Research & Defense" blog, Microsoft emphasises that switching to Internet Explorer 8 currently offers adequate protection. According to the blog, the exploits for Internet Explorer 8 capable of bypassing Data Execution Prevention are only known to a limited number of security vendors and government CERT agencies. Furthermore, the exploit apparently only causes a browser crash in two out of three attempts, which Microsoft attributes to the Address Space Layout Randomization (ASLR) feature.

SecureWorks say that new analyses of the malicious code used in the Aurora attacks on Google and other vendors indicate that the required code development had been in progress for quite some time. Certain compiler time stamps in the analysed code apparently date back to 2006. Joe Stewart also thinks that the developers paid particular attention to concealing the origin of the binaries and the system used to create them. For instance, the PE headers that precede every program reportedly contain no indication that Chinese developers were involved. Usually, the PE header contains a country or language code. According to the report, the authors either compiled the code on an English-language system, or they manually edited the header afterwards.

The only trace that points towards a Chinese origin is reportedly some CRC code used by the backdoor (the Hydraq trojan), because a Google query for this code apparently produces exclusively Chinese pages. The attackers' level of care, however, gives rise to the question why they didn't manage to fully conceal the communication between the backdoor and the control servers. Although this communication took place in SSL-encrypted form, it was apparently still traceable to China.

At the same time as announcing the patch for IE, Microsoft has also confirmed the privilege escalation hole in Windows reported yesterday. Microsoft say they want to complete their investigation of the hole and will then decide whether, how and when to close it. As a workaround, the vendor recommends that users disable 16-bit applications via the group policy settings. However, this solution only works for corporate customers, because most of the home editions of Windows don't include a group policy editor. An alternative is to create a \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat key in the registry and set up a DWORD value of VDMDisallowed = 1. When this solution was tested by The H's associates at heise Security, the exploit no longer worked under XP. The registry key can be generated automatically by placing the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]

"VDMDisallowed"=dword:00000001

into a file called vdmdisallow.reg and double clicking on the file. Windows will then automatically import the key (admin rights are required to perform this action).

See also: