Surfing With Sharks
Author: Carl Jongsma
Author: Carl Jongsma
Publicly exploitable vulnerabilities with Internet Explorer are
far more common than many security people would like. The
recently discovered VML arbitrary code execution flaw is
probably one of the more serious issues to come to light in
recent months. Based on a vulnerability in a core component of
Internet Explorer, the vulnerability allows attackers to run
code of their choice on victim's systems, provided that they
can be tricked into viewing malicious content.
This critical step in the process has unfortunately been made
much easier in recent days. When exploitation of the issue was
first discovered, it was primarily adult websites that were
using it to install malware on the systems of visitors. Similar
to how the WMF exploitation at the start of the year progressed,
VML exploitation took a recent nasty turn. Hosting provider,
HostGator, was compromised through what is believed to be a
previously unknown cPanel vulnerability and client websites
were being redirected to sites that exploited the VML
vulnerability - thus infecting systems. In this case, site
visitors could be visiting legitimate, trusted websites but end
up on a page that is busy installing malicious content.
Anecdotal evidence suggests that exploitation is much broader
than is being reported by Microsoft and major security
providers.
Although there have been a number of serious problems in cPanel
over recent months, the most recent issue to be disclosed is a
privilege escalation vulnerability that has been reported in
the last couple of days. Assuming that this is the issue
exploited to take control of HostGator's servers, then this is
something that a lot of hosting providers and site
administrators need to be very aware of. The very popular site
management tool normally installs into known locations, and it
doesn't take long to discover whether a site is using cPanel to
manage it. To effectively use a privilege escalation exploit, it
is necessary to gain access to a legitimate user account, so it
would be prudent to ensure that all cPanel administrators and
users are using strong passwords. Operators of sites on shared
servers need to be aware that the compromise of an account
belonging to another site can lead to damage of theirs. cPanel
developers have since released an update to the issue, which
affects all versions of the software.
Initial response to the VML issue suggested that disabling
JavaScript support would be sufficient to protect against
exploitation. As exploit samples progressed, it was noticed
that this step was not enough - exploits were working even
though scripting support had been disabled. Until Microsoft are
able to release a patch (believed that is going to be made
available with the October security patch release on October
10), the best advice for most users is to use an alternate
browser. Advanced users can deregister the affected DLL, though
this has a risk of causing further damage to a system if the
user gets it wrong, and it prevents legitimate use of functions
the DLL supports.
Users who are more adventurous might want to check out a patch
released by the Zero Day Emergency Response Team (ZERT), the
same group that provided an early patch for the WMF
vulnerability from earlier this year. There is still great
concern, as public exploit samples have recently been released
that provide a means to attack Windows XP SP2 systems, where
previous samples have only been available for Windows XP SP1.
About The Author: Carl is the founder and lead researcher for
Sunnet Beskerming ( http://www.beskerming.com), an Information
Security company with a difference. Based in Australia, but
serving the world, Carl and his company provide services that
can't be out-done.
far more common than many security people would like. The
recently discovered VML arbitrary code execution flaw is
probably one of the more serious issues to come to light in
recent months. Based on a vulnerability in a core component of
Internet Explorer, the vulnerability allows attackers to run
code of their choice on victim's systems, provided that they
can be tricked into viewing malicious content.
This critical step in the process has unfortunately been made
much easier in recent days. When exploitation of the issue was
first discovered, it was primarily adult websites that were
using it to install malware on the systems of visitors. Similar
to how the WMF exploitation at the start of the year progressed,
VML exploitation took a recent nasty turn. Hosting provider,
HostGator, was compromised through what is believed to be a
previously unknown cPanel vulnerability and client websites
were being redirected to sites that exploited the VML
vulnerability - thus infecting systems. In this case, site
visitors could be visiting legitimate, trusted websites but end
up on a page that is busy installing malicious content.
Anecdotal evidence suggests that exploitation is much broader
than is being reported by Microsoft and major security
providers.
Although there have been a number of serious problems in cPanel
over recent months, the most recent issue to be disclosed is a
privilege escalation vulnerability that has been reported in
the last couple of days. Assuming that this is the issue
exploited to take control of HostGator's servers, then this is
something that a lot of hosting providers and site
administrators need to be very aware of. The very popular site
management tool normally installs into known locations, and it
doesn't take long to discover whether a site is using cPanel to
manage it. To effectively use a privilege escalation exploit, it
is necessary to gain access to a legitimate user account, so it
would be prudent to ensure that all cPanel administrators and
users are using strong passwords. Operators of sites on shared
servers need to be aware that the compromise of an account
belonging to another site can lead to damage of theirs. cPanel
developers have since released an update to the issue, which
affects all versions of the software.
Initial response to the VML issue suggested that disabling
JavaScript support would be sufficient to protect against
exploitation. As exploit samples progressed, it was noticed
that this step was not enough - exploits were working even
though scripting support had been disabled. Until Microsoft are
able to release a patch (believed that is going to be made
available with the October security patch release on October
10), the best advice for most users is to use an alternate
browser. Advanced users can deregister the affected DLL, though
this has a risk of causing further damage to a system if the
user gets it wrong, and it prevents legitimate use of functions
the DLL supports.
Users who are more adventurous might want to check out a patch
released by the Zero Day Emergency Response Team (ZERT), the
same group that provided an early patch for the WMF
vulnerability from earlier this year. There is still great
concern, as public exploit samples have recently been released
that provide a means to attack Windows XP SP2 systems, where
previous samples have only been available for Windows XP SP1.
About The Author: Carl is the founder and lead researcher for
Sunnet Beskerming ( http://www.beskerming.com), an Information
Security company with a difference. Based in Australia, but
serving the world, Carl and his company provide services that
can't be out-done.
