~~Brute Code~~

To all the readers,

Folks ... I really to apologize for all the spelling mistakes and language that would be in today’s write-up.

Have you people heard of "Royal Challenge"? It’s a really nice (Indian) whisky.

Before we start I would like you to read the fine print up on the main blog page. That will tell you how much of a fan I am of this product.

BTW ... I'm doing something called "Patch Management" ... Really bad job ... I know a few guys who did this for almost a year and think they are the dudes... “The Security dudes”.

You don't have to know the MS KB numbers by-heart. You must have an understanding of the security hole instead. According to one my seniors, "This will be a good learning experience for you".

OK ... Back to work (and Royal Challenge)

According to the assholes at SANS "Microsoft Internet Explorer is the most popular browser used for web surfing".

Don't believe me check this out (http://www.sans.org/top20/#w2)

As some people would say "Yeah! Right!!! 'Dusht'"

Let us start with a quote from SANS:

Microsoft Internet Explorer is the most popular browser used for web surfing and is installed by default on each Windows system. Internet Explorer contains multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an email. Exploit code for many of the critical Internet Explorer flaws are publicly available.

These flaws have been widely exploited to install spyware, adware and other malware on users' systems. The spoofing flaws have been leveraged to conduct phishing attacks. In many cases, the vulnerabilities were 0-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed.

During the past year Microsoft has released multiple updates for Internet Explorer.

1. Cumulative Security Update for Internet Explorer (MS05-052)

2. Cumulative Security Update for Internet Explorer (MS05-038)

3. JView Profile Remote Code Execution (MS05-037)

4. Cumulative Security Update for Internet Explorer (MS05-025)

5. Cumulative Security Update for Internet Explorer (MS05-020)

6. Cumulative Security Update for Internet Explorer (MS05-014)

7. Windows Shell Remote Code Execution (MS05-008)

8. Cumulative Security Update for Internet Explorer (MS04-040)

9. Cumulative Security Update for Internet Explorer (MS04-038)

10. Cumulative Security Update for Internet Explorer (MS04-025)

Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates.

Source: SANS Top 20

Here are some patches I feel are important … However understand the vulnerability … Don't just patch because it’s a Tuesday and Microsoft said so … … …

Some vulnerability have been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system, conduct cross-site/zone scripting and bypass a security feature in Microsoft Windows XP SP2.

1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

This vulnerability is a variant of SA12321

NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.

2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.

Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.

NOTE: This will bypass the "Local Computer" zone lockdown security feature in SP2.

3) A security site / zone restriction error in the handling of the "Related Topics" command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones.

MS05-052

This update resolves a newly-discovered public vulnerability and other privately-reported variations of the same vulnerability. The Microsoft DDS Library Shape Control (Msdds.dll) and other COM objects could, when instantiated in Internet Explorer, allow an attacker to take complete control of an affected system. Because these COM objects were not designed to be instantiated in Internet Explorer, this update sets the kill bit for the affected Class Identifiers (CLSID) in these COM objects. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?

When Internet Explorer tries to instantiate certain COM objects as ActiveX controls, the COM objects may corrupt system memory in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of the affected system. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

How could an attacker exploit the vulnerability?

An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.

MS05-038

Packages for this security update that were located on the Microsoft Download Center have been updated as the initial packages were corrupt, causing some Systems Management Server (SMS) and Internet Explorer installation failures. New packages are now available and Microsoft encourages users to re-download the packages from the links below and re-apply. Updates downloaded from Automatic Update, Windows Update, Microsoft Update and Windows Server Update Services (WSUS), were not affected by this issue.

This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the “Vulnerability Details” section of this bulletin and in addition to changes introduced in previous Internet Explorer security bulletins, this update introduces a change to disable the use of arbitrary system monikers in OBJECT tags in Internet Explorer as a defense in depth improvement. For more information about monikers, see the product documentation. This update also changes the behavior of the Favorites control in Internet Explorer as a defense in depth improvement. After you apply this security update, the Favorites control can only be used as intended and only be called from certain Internet Explorer dialog boxes.

To help protect customers who have these objects installed, this update prevents older versions of these objects from running in Internet Explorer. It does this by setting the kill bit for the older versions of these objects that are no longer supported. For more information about kill bits, see Microsoft Knowledge Base Article 240797.

This update also sets the kill bit for the COM objects listed under 'What does the update do?' in the Vulnerability Details section. For more information, see the ‘COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990’ in the vulnerability details section in this bulletin.

Does this update contain any other changes to functionality?

Yes. This update also includes non-security-related changes that were introduced in previous Internet Explorer security bulletins.

MS05-037

This update resolves a newly-discovered, public vulnerability. A COM object, the JView Profiler (Javaprxy.dll), when instantiated in Internet Explorer, contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period.

MS05-025

This update resolves two newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.

ActiveX Controls are the "Main cause of sorrow ..." This is how to stop an ActiveX control from running in Internet Explorer

1. Determine the CLSID for the ActiveX control that you want to disable. If you are not sure of the CLSID for the control, contact the manufacturer. If the control is installed, you may be able to determine its CLSID if you know its friendly name. To do this, examine the Default string value for the ProgID key for each of the CLSID keys in HKEY_CLASSES_ROOT\CLSID. You may have to remove as many ActiveX controls as possible, except for the one that you want to disable, to make it easier to identify the appropriate CLSID. For more information about how to remove ActiveX controls, click the following article number to view the article in the Microsoft Knowledge Base: 154850

2. Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\CLSID of the ActiveX control where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.

3. Change the value of the Compatibility Flags DWORD value to 0x00000400.

Microsoft Internet Explorer Drag and Drop Vulnerability

http-equiv has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.

http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.

This vulnerability is a variant of an issue discovered by Liu Die Yu. SA9711

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.

NOTE: The vulnerability is actively being exploited in the wild.

Source: Secunia

“Sweet Heart some ice please … Hyderabad is crazy hot”

OK!! Let’s exploit the fucker

OK … Enough of those dumb patches …

So, 8 pegs high on MSIE … & I feel like hacking …

This is my attempt to replicate an exploit for MSIE:

“If you don’t understand XML and HTML … I really cannot help you here … Talking about RPC’s in the last post; “Do you know that there is an XML-RPC too?”

All "createPopup" does is create a (featureless) window containing an empty HTML document, this does not pose a threat, but later on, that document has HTML injected to it (using innerHTML), which is the actual problem.

For example, the following code will work just the same:

Note: innerHTML is not the only property used to dynamically insert HTML to any element, it is

also possible to use outerHTML, insertAdjacentHTML and more to gain the same results.)

Discussion:

So now that we identified the origin of the problem we can search for ways to dynamically insert HTML without using any Active Scripting at all. It will then become possible to use this vulnerability in more "protected" environments, such as Microsoft Outlook or Internet Explorer with Active Scripting and ActiveX disabled.

One of the exciting features that came along in IE4 was Data Binding; it enables developers to completely separate any application data from the presentation layer. The data sources (DSO) for Data Binding can be almost anything, CSV files (with TDC), HTML, XML and many more. Data Binding binds HTML elements (data consumers) such as div or span to the DSO without need for a single line of script code.

We found out that when the "dataFormatAs" attribute is set to "HTML" on the consumer, Data Binding internally uses innerHTML in order to insert the data into the element (otherwise innerText is used).

So all we need to do now is supply a DSO that contains the offending

Exploit:

In the following example we're using an XML data-island as our DSO and a span element as the data consumer. Using XML is especially comfortable because it can be embedded within the document, without need for external requests that may be stopped by the host application.

Solution:

There is no configuration-tweaking workaround for this vulnerability, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.

Update - 3 Mar 2002

Since the injected

Here is the registry information:

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0]
Change the value of "1004" (DWORD) to 3.

This should work on:

(I really cannot guarantee this … Ensure that patches are not installed)

IE5.5 Win98.

IE5.5 NT4.

IE6 Win2000.

IE6 WinXP.

An online demo of calc.exe Can be found here and an advanced demonstration here.

Will someone please listen to me?

I sincerely feel that MSIE should not be used in IT companies. IT companies would e primary targets for hackers. Why use MSIE when we have awesome browsers like FireFox.

Almost a bottle down … I love you Firefox

This is my evaluation: MSIE v/s Mozilla Firefox

Let me investigate on Google:

Domain Names

Firefox - firefox.com

Some kind soul donated the domain to the Mozilla Foundation.

At least they own their own domain name.

Internet Explorer –

internetexplorer.com Microsoft doesn't even own this one.

It's one of those generic search portals masquerading as an IE site.

Advantage - Firefox

Google Fights

Why does Internet Explorer crash all the time? - 2.57 million results

Vs.

Why does Firefox crash all the time? - 218,000 results

Next...

Internet Explorer - 22.8 million results

Vs.

Firefox - 23 million results

That one is definitely a surprise.

Next...

Internet Explorer will help me get laid - 1.34 million results

Vs.

Firefox will help me get laid - 75,700 results

A much better chance of getting lucky with IE.

Next...

Internet Explorer came with my computer - 6.9 million results

Vs.

Firefox came with my computer - 659,000 results

Tie breaker...

Internet Explorer is the best browser ever - 2,110,000 results

Vs.

Firefox is the best browser ever - 474,000 results

Advantage: Internet Explorer

Coin Flip - Best of 7

The coin flip was conducted using a 2000 Sacajawea dollar.

Internet Explorer - Heads

Firefox - Tails

Results: H-T-T-T-T-H-T

Advantage - Firefox

Stereotypical User

Internet Explorer - Brain dead newbie. Loves pop-ups, viruses, and spyware. Just wants to "surf the Internet and check my email." Oblivious to alternative lifestyles. Seeks help from "computer smart" nephew.

Firefox - Proselytizing ubergeek. Loves freedom, choice, and tabbed browsing. Just wants to "improve mankind with Open Source Software." Oblivious to market forces and the power of money. Seeks other geeks to join in on the evangelism.

Both are equally annoying.

Advantage - Even

Conclusions

It was a close battle, but Firefox edges out a victory against the Internet Explorer by a score of 3-2 with 1 tie and wins our Technical Award of Excellence.

Some really cool links that helped all night:

“”Least Vulnerability (6th April '06) … London Free Press””

http://lfpress.ca/newsstand/Business/2006/04/06/1522144-sun.html

What are other people saying about Internet Explorer?

http://browsehappy.com/why/

Some magazine called "Forbes"; they had something to say about MSIE v/s Mozilla Fiefox.

http://www.forbes.com/home/ebusiness/2004/10/04/cx_pp_1004mondaymatchup.html

Serious Internet Vulnerabilities and EXPLOITS:

This site is like never before...

http://www.hnc3k.com/ievulnerabil.htm

What does the almighty US govt say?

http://www.us-cert.gov/cas/techalerts/TA05-221A.html

Shocking revelation ... Almost dropped my glass here.

http://secunia.com/advisories/12889/?show_all_related=1#related

A small search query at secunia.com gave me 99 vulnerabilities. Dude ... We'll invetigate these later, sometime ... However I must warn you ... Some of them are really critical.

Also see …

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127

0-Day Exploits of MSIE

ttp://www.eweek.com/aricle2/0,1759,1891749,00.asp?kc=EWRSS03119TX1K0000594

Mozilla Vulnerabilities … No one is perfect …

http://secunia.com/product/4227/

Good Night folks … You should be sleeping now … I have a night-shift … Not you !!!

I’m seriously looking for feedback … Kindly help me there …

Cheers and greets fly out to my pal’s DK & Mithun Mohan.

Love and God bless!!!

-DaNNy