Sophos Cloud Optix
Microsoft has just released security advisory 2501696 acknowledging a new zero day flaw in all current versions of Windows (except Server Core). The flaw appears to allow maliciously crafted web pages to execute code in any “zone” regardless of which zone is specified.
Any applications that use Microsoft’s HTML renderer can be attacked including Internet Explorer, but applications that always open web content in the “Restricted zone” are not affected including Outlook, Outlook Express, and Windows Mail.
There is proof of concept code in the wild and it seems to be only a matter of time before we see criminals trying to exploit this flaw. For individuals, or people who only manage a small number of computers, Microsoft has provided a Fix it tool that allows to to apply their recommended settings without having to use GPOs or having to manually edit registry keys.
The SANS Internet Storm Center has posted a blog on this as well, noting all the current locations for information on this vulnerability.
Microsoft has provided mitigation advice and I highly recommend you consider deploying the mitigation settings using Group Policy Objects (GPOs) as soon as possible. It will likely be some time before Microsoft is able to release a patch for this vulnerability and this is one of the cases where it is likely worth the effort to implement the mitigations.
which is EXACTLY why I use Google Chrome 🙂 🙂
Chrome may also be vulnerable not to this attack but some other attack.
Firefox FTW. They always update security patches asap and it's open source.
I thought Chrome has a sandbox in the latest version that traps malware Vivek. Is that not correct? Is the above vulnerability only for Internet Explorer or is a windows vulnerablitiy. will using another browser protect you from this flaw? Thanks in advance
The flaw is in Windows, but only affected products that use the MHTML renderer provided by Microsoft, so it does not affect Firefox, Safari, or Chrome. The flaw could be exploited through other Windows programs which may use the MS render engine.
I'm curious – what are the odds of a typically home user actually getting hit with this? If it's only proof of concept, and not actually being expoited, should one wait for the official patch or is it advisable to actually install the fixit now?
The $64 question!
For home users, the fix is pretty uncontroversial – go to the page Chester links to above and click the "Fix it! – Enable" button.
(There is a "Fix it! Disable" button -I guess that sounds better than an Unfix it! button – for when the official patch comes out, or if you decide the workaround is getting in the way somehow.
YMMV, but I've applied the Fix it! to my personal Windows 7 box. (OK, virtual machine.) I can still open and read MHTML files which I've saved locally, which is the only sort of MHTML file I've ever wanted or needed to open.
We have not seen any real malware exploiting this, only a proof of concept showing how one might exploit it. At this point you may wish to wait and see, but personally I applied the Fix it as the changes Microsoft make should not break anything in your home network.
As far as I am aware it is the windows operating system itself that has this vulnerability so it may not matter which browser you use. And yes, although it's a 'proof of concept' the article does state that it's in the wild and only a matter of time before it is exploited so, better to be safe than sorry, prevention better than cure etc……! The Microsoft 'Fix It' should plug the hole temporarily until the come up with a permanent fix and is available from their support site. http://support.microsoft.com/kb/2501696
It's a flaw in Windows parsing, that only IE has the functionality that see the code as valid code, not harmless text. Other browsers will harmlessly ignore it, therefore it's it's an IE bug. But Microsoft doesn't want to say that so near to IE9 being released; so they're making it out to be a Windows bug.
http://www.infoworld.com/t/malware/what-microsoft… has a good writeup; especially regarding ActiveX exploits being classed as IE bugs, despite being exactly the same mechanism as this exploit.
Ok, so I see the registry changes to be made, and the kb article suggest applying them via GPO, any suggestions as to how to apply the assorted registry updates via GPO?
i created a .reg file from the microsoft article, and saved it in a common location on our network. then i created a .bat file that does
regedit /s serverfileshare
eghack.reg
and put that both in the shutdown and startup scripts in a group policy object that's then linked to the OU with our computers in it
i chose both the shutdown and startup scripts, as just the startup script didn't apply to enough computers until they were rebooted too many times, while the startup script seemed to be "quicker" to be deployed and run
Thanks for the update. I feel compelled to say that the best way to avoid the malicious code is not utilizing the exploitable application. I know we can’t leave the utopian concept, but I digress.