New Internet Explorer Exploit
The Internet Storm Centre has some info on a new IE Exploit floating around the net.
The UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.
has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).
In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.
In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.
Microsoft Security Advisory is here. No Patch yet though...
Snort IDS signature if your fortunate enough to have a Linux based firewall.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet
Explorer Window() Possible Code Execution"; flow:established,from_server;
content:"window"; nocase; pcre:"/[=:'"s]windows*(s*)/i";
reference:url,secunia.com/advisories/15546; \ reference:url,http://www.computerterrorism.com/res.../ct21-11-2005;
reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:1; )
Re: New Internet Explorer Exploit
Sophos has a press release here:
The flaw is being actively exploited by malicious websites.