QODS ec

Tuesday, June 29, 2004

SEC: UNIRAS (UK Govt CERT) ALERT - 28/04 dated 29.06.04


-----BEGIN PGP SIGNED MESSAGE-----

-
----------------------------------------------------------------------------
------
UNIRAS (UK Govt CERT) ALERT - 28/04 dated 29.06.04 Time: 15:24
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination
Centre)
-
----------------------------------------------------------------------------
------
UNIRAS material is also available from its website at www.uniras.gov.uk
and
Information about NISCC is available from www.niscc.gov.uk
-
----------------------------------------------------------------------------
------

Title
=====
Vulnerabilities in Microsoft Internet Explorer

Detail
======
Departmental and organisational security officers should be aware of the
existence and exploitation of currently unpatched vulnerabilities in
Microsoft Internet Explorer. Although these issues were referred to
indirectly in UNIRAS Briefing 308/04 and discussed in US CERT Technical
Cyber Security Alert TA04-163A (see UNIRAS Briefing 288/04), the potential
impact of the vulnerabilities needs to be stressed, ie an attacker could
execute code remotely on the computer of a web user who has visited a web
site with malicious content (which may be a legitimate web site that has
been compromised) or who has downloaded and viewed an HTML email in the
context of the user. A current exploit is called Scob or Download.Ject (see
the base of this email for URLs).

The essence of the exploit is that malicious code written in JavaScript is
injected into an embedded frame (IFRAME) that is returned after a time out
by web server redirection to an error page contained on the web user's
computer. Because the error page is in the My Computer zone the malicious
code is executed in that context, which provides access to the resources of
the local computer, including the ADODB Stream, Shell Application and
XMLHTTP Active X objects that are used to download and execute files. This
exploit uses two unpatched vulnerabilities, which have Bugtraq IDs 10472 and
10473, see:

http://www.securityfocus.com/bid/10472
http://www.securityfocus.com/bid/10473

The following mitigation steps are recommended:

- - Set the kill bit on Active X objects that you do not need in Internet
Explorer,
including ADODB Stream, Shell Application and XMLHTTP, see

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q240797&ID=KB;EN-US;
Q240797
for details
- - Disable the use of unsigned Active X controls and active scripting in
the Internet
Explorer Internet zone, see the guidance in NISCC Technical Note 05/03
- - Consider using another web browser
- - Apply patches to web browsers and email clients when they become
available
- - Use a desktop anti-virus product and keep signatures up to date
- - Use anti-spam measures at the organisational boundary, see NISCC
Technical
Note 02/04
- - Block high risk file types via email content filters or email servers,
see NISCC
Technical Note 03/04
- - Implement a whitelist on an email server any web proxy servers to
exclude HTML tags
including IFRAME and OBJECT

Details about Scob/Download.Ject can be found at:

http://www.microsoft.com/security/incident/download_ject.mspx
http://securityresponse.symantec.com/avcenter/venc/data/download.ject.html
http://www.f-secure.com/v-descs/scob.shtml
http://vil.nai.com/vil/content/v_126241.htm
http://www.sophos.com/virusinfo/analyses/jsscoba.html

-
----------------------------------------------------------------------------
------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@niscc.gov.uk

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

-
----------------------------------------------------------------------------
------
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and
opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors or
omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in
connection with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response Teams
(IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
-
----------------------------------------------------------------------------
------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQOGET4pao72zK539AQGS9wP+K+h2P6H5Up6hnGRRtQ9T9/iRHTxn2JOw
UQAufy76GMkcDYbLXIzzHEavAq8/eYK5y2yhAjKE50sXxtXZkeFBJzDbmstCoSVX
jNr9Vq/yysBLOcvNQNzTTzcGKRsjJOShu4YY/eejsH0BWIaPjKemiHNTnmJ+sz9L
y/6PTnmpUxo=
=CEtx
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)
------------------------------------------------------------------------

INFOCON Mailing List @
IWS - The Information Warfare Site
http://www.iwar.org.uk

------------------------------------------------------------------------
To subscribe, change your subscription or unsubscribe go to http://www.iwar.org.uk/mailman/listinfo/infocon/
------------------------------------------------------------------------

0 Comments:

Post a Comment

<< Home


Get Firefox!