No surprises here.
Source: Computer World
Microsoft on Saturday told customers that cyber-criminals are exploiting an unpatched and critical vulnerability in Internet Explorer (IE) using "drive-by" attacks.
According to Microsoft, the attacks have been launched against IE users tricked into visiting malicious websites. Such attacks, dubbed "drive-bys," are among the most dangerous because a vulnerable browser can be hacked as soon as its user surfs to the URL.
All currently-supported versions of IE are at risk, Microsoft said, including 2001's IE6, which still receives patches on Windows Server 2003. The same browser will not be repaired on Windows XP, as the operating system was retired from patch support on April 8.
The IE flaw was the first post-retirement bug affecting XP.
And that's important.
Because Microsoft will eventually patch the drive-by bug in IE6, IE7 and IE8, then deliver those patches to PCs running Windows Vista and Windows 7, it's likely that hackers will be able to uncover the flaw in the browsers' code, then exploit it on the same browsers running on Windows XP.
Microsoft said that was the biggest risk of running XP -- and IE on it -- after the operating system was retired, claiming last year that XP was 66% more likely to be infected with malware once patching stopped.
Windows XP users can make it more difficult for attackers to exploit the IE bug by installing the Enhanced Mitigation Experience Toolkit (EMET) 4.1, an anti-exploit utility available on Microsoft's website.
The security advisory included other steps customers can take to reduce risk. Among them is to "unregister" the vgx.dll file. That .dll (for dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows and IE.
Another way Windows XP users can avoid IE-based attacks is to switch to an alternate browser, like Google's Chrome or Mozilla's Firefox. Both will continue to receive security updates for at least the next 12 months.
Makes the 6 hours I spent getting my Mom's old PC upgraded to a point it could take Windows 8 yesterday afternoon seem worth it, thanks for sharing!
And this warning come from Microsoft who really want people to buy their latest OS to which end a scare story will help... Hmmm
I notice MS don't point out that users can avoid the problem by not using IE, an application that nobody I know has used for years.
Oh and before anybody says it, I am not suggesting users shouldn't upgrade, just that they shouldn't be frightened into doing it.
To paraphrase Michael Moore,
"Welcome to the world of....BOOOO!"
Maybe I can use this to push through getting the last few XP machines here upgraded...
Playing devils advocate here, but those who would seek to expolit XP have most likely been sitting on any zero day exploits they have figured out safe in the knowlege they can run with them the minute support for XP ends. This comes as no surprise to me tbh.
And c'mon, it's a 13 year old O/S, it had to be cut off at some point.
ICTDirect_Dave (28th April 2014)
I wouldn't dare still use XP. Non technical users seem to find these drive by sites/java exploits/flash exploits etc. IE10/IE11 enhanced protected mode seems to be the way to go. MS could just offer a cheap upgrade, like apple. £20-30 to go to Win 8.1 for home users.
So, how about practical discussion of how to protect our networks?
Create \\server\share\unregvgx.bat (or .cmd or whatever you like) containing this:
"%SystemRoot%\System32\regsvr32.exe" -u -s "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
You all know where to get psexec: http://live.sysinternals.com/psexec.exe -- run this command:
psexec -h -u domain\adminUserName \\* \\server\share\unregvgx.bat
Quick and dirty and gets it out there to everything that's already booted up and listed in Active Directory. Also add \\server\share\unregvgx.bat to startup and login scripts. There are other ways to do all of this that are more refined but I like quick and dirty for stuff like this.
Thoughts? Will that suffice to protect my network until Microsoft releases a patch?
One other question: What is the actual exploit being used for? What kind of damage/payload are we looking at?
Is there a known example of the exploit I can test against, as in a URL I can go to and see if I get infected?
I went one step further and just put a file restriction policy on iexplore.exe on the XP machines, we are chrome users here so no need for it
One final patch for XP?
Emergency patch for critical IE 0-day throws lifeline to XP laggards, too « Ars Technica
according to FireEye.Microsoft has released an emergency update for all recent Windows operating systems—including the recently decommissioned XP—fixing a critical security bug that is currently being exploited in real-world attacks.
The decision to patch XP underscores the potential seriousness of the vulnerability. Since it resides in versions 6 through 11 of Internet Explorer, the remote code-execution hole leaves an estimated 26 percent of Internet browsers susceptible to attacks that can surreptitiously install hacker-controlled backdoors when users visit a booby-trapped website. By some measures, 28 percent of the Web-using public continues to use the aging OS, which lacks crucial safety protections built into Windows 7 and 8.1. Thursday's release demonstrates the razor-thin tightrope Microsoft walks as it tries to wean users off a platform it acknowledges is no longer safe against modern hacks. While the XP fix may deprive some laggards of the incentive to upgrade, Microsoft also has a responsibility to prevent exploits that could turn large numbers of the Internet population into compromised platforms that attack others.
Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning. (Source)
Last edited by Arthur; 1st May 2014 at 08:44 PM.
M$ shouldn't have done that. How on earth will we get rid of xp.
There are currently 1 users browsing this thread. (0 members and 1 guests)