Alerts
Zero Day Exploit Alert: WebViewFolderIcon setSlice Vulnerability.
Date:
October 2, 2006
Severity:
Critical
Systems Affected:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Overview:
Once again, users are subject to the increasing trend of zero day vulnerabilities in client side software being disclosed with no protection offered from the Operating System vendors. On July 18, 2006, a vulnerability in Internet Explorer was reported to the public via the Broswer Fun BLOG. Since this initial report it has been found that this vulnerability is an exploitable integer overflow allowing for remote code execution. A module for the popular penetration testing tool Metasploit has been released that leverages this bug and reports of it being used in the wild, while limited, are beginning to surface.
The PoC is an integer overflow-based heap overflow, in the DSA_SetItem function in COMCTL32.DLL. An arithmetic overflow can occur during multiplication to calculate the desired size for a call to ReAlloc, that isn't reproduced during a subsequent call to memmove, so the allocated size can be smaller than the copy size and result in a heap buffer overflow.
Although COMCTL32.DLL is a common DLL used by lots of Windows GUI functionality, currently the only known attack vector is via the WebViewFolderIcon ActiveX control ({844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}). Therefore, kill-bitting the control is a viable workaround for the existing in-the-wild exploits, which are being reported by the Internet Storm Center and others.
This vulnerability can result in remote code execution in the context of the logged in user. In order to exploit this an attacker must create a malicious website or leverage a site that allows for custom user content.
Prevention:
eEye customers are proactively protected against this attack with Blink. If you are not an eEye customer and are looking for proactive protection against this attack and many others you can learn more about Blink here.
Home users can download a free version of Blink Personal here. Blink Personal is free for consumer/personal use and will successfully prevent this attack as well as many others.
In addition you can set the killbit on the following CLSID:
{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
You can do this by following these directions as provided in the Microsoft Advisory:
To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.
Links:
Microsoft Security Advisory
Blink Professional
This alert was last updated on October 2, 2006.
October 2, 2006
Severity:
Critical
Systems Affected:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Overview:
Once again, users are subject to the increasing trend of zero day vulnerabilities in client side software being disclosed with no protection offered from the Operating System vendors. On July 18, 2006, a vulnerability in Internet Explorer was reported to the public via the Broswer Fun BLOG. Since this initial report it has been found that this vulnerability is an exploitable integer overflow allowing for remote code execution. A module for the popular penetration testing tool Metasploit has been released that leverages this bug and reports of it being used in the wild, while limited, are beginning to surface.
The PoC is an integer overflow-based heap overflow, in the DSA_SetItem function in COMCTL32.DLL. An arithmetic overflow can occur during multiplication to calculate the desired size for a call to ReAlloc, that isn't reproduced during a subsequent call to memmove, so the allocated size can be smaller than the copy size and result in a heap buffer overflow.
Although COMCTL32.DLL is a common DLL used by lots of Windows GUI functionality, currently the only known attack vector is via the WebViewFolderIcon ActiveX control ({844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}). Therefore, kill-bitting the control is a viable workaround for the existing in-the-wild exploits, which are being reported by the Internet Storm Center and others.
This vulnerability can result in remote code execution in the context of the logged in user. In order to exploit this an attacker must create a malicious website or leverage a site that allows for custom user content.
Prevention:
eEye customers are proactively protected against this attack with Blink. If you are not an eEye customer and are looking for proactive protection against this attack and many others you can learn more about Blink here.
Home users can download a free version of Blink Personal here. Blink Personal is free for consumer/personal use and will successfully prevent this attack as well as many others.
In addition you can set the killbit on the following CLSID:
{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
You can do this by following these directions as provided in the Microsoft Advisory:
To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.
Links:
Microsoft Security Advisory
Blink Professional
This alert was last updated on October 2, 2006.
