Surfing with Sharks
By Carl Jongsma
Publicly exploitable vulnerabilities with Internet Explorer are far more common than many security people would like. The recently discovered VML arbitrary code execution flaw is probably one of the more serious issues to come to light in recent months.
Based on a vulnerability
in a core component of Internet Explorer, the vulnerability allows attackers
to run code of their choice on victim's systems, provided that they can
be tricked into viewing malicious content.
This critical step in the process has unfortunately been made much easier
in recent days. When exploitation of the issue was first discovered, it
was primarily adult websites that were using it to install malware on the
systems of visitors. Similar to how the WMF exploitation at the start of
the year progressed, VML exploitation took a recent nasty turn.
Hosting
provider, HostGator, was compromised through what is believed to be a previously
unknown cPanel vulnerability and client websites were being redirected
to sites that exploited the VML vulnerability - thus infecting systems.
In this case, site visitors could be visiting legitimate, trusted websites
but end up on a page that is busy installing malicious content. Anecdotal
evidence suggests that exploitation is much broader than is being reported
by Microsoft and major security providers.
Although there have been a number of serious problems in cPanel over recent
months, the most recent issue to be disclosed is a privilege escalation
vulnerability that has been reported in the last couple of days. Assuming
that this is the issue exploited to take control of HostGator's servers,
then this is something that a lot of hosting providers and site administrators
need to be very aware of.
The very popular site management tool normally
installs into known locations, and it doesn't take long to discover whether
a site is using cPanel to manage it. To effectively use a privilege escalation
exploit, it is necessary to gain access to a legitimate user account, so
it would be prudent to ensure that all cPanel administrators and users
are using strong passwords. Operators of sites on shared servers need to
be aware that the compromise of an account belonging to another site can
lead to damage of theirs. cPanel developers have since released an update
to the issue, which affects all versions of the software.
Initial response to the VML issue suggested that disabling JavaScript support
would be sufficient to protect against exploitation. As exploit samples
progressed, it was noticed that this step was not enough - exploits were
working even though scripting support had been disabled. Until Microsoft
are able to release a patch (believed that is going to be made available
with the October security patch release on October 10), the best advice
for most users is to use an alternate browser. Advanced users can deregister
the affected DLL, though this has a risk of causing further damage to a
system if the user gets it wrong, and it prevents legitimate use of functions
the DLL supports.
Users who are more adventurous might want to check out a patch released
by the Zero Day Emergency Response Team (ZERT), the same group that provided
an early patch for the WMF vulnerability from earlier this year. There
is still great concern, as public exploit samples have recently been released
that provide a means to attack Windows XP SP2 systems, where previous samples
have only been available for Windows XP SP1.
