A zero-day exploit targeting one of the latest Microsoft flaws was publicly announced Tuesday, but don't worry -- there are workarounds, says a security expert.
That exploit, says its creator, "demonstrates the enormously elaborate methods required to defeat the current security mechanisms in place in both Microsoft Windows XP SP2 and Internet Explorer 6.00 SP2 fully patched." The malcode targets Internet Explorer on all Windows versions from 95 to XP SP2. Simply clicking on an image turns into a series of events that plants a file on the system and executes it, thereby compromising the system and enabling the forced installation of anything from spyware to keyloggers, worms and Trojans.
Hacker http-equiv posted detailed exploit code to the Full-Disclosure mailing list Tuesday night, just one week after Microsoft announced a record number of 10 security bulletins, seven of them critical. The bulletins aim to patch a total of 22 newly discovered vulnerabilities One of those, MS04-038, is a cumulative security update for Internet Explorer, fixing several vulnerabilities an attacker could use to take over machines.
Unfortunately, other attack vectors can still be used to exploit the flaw. Thor Larholm, a senior security researcher at PivX Solutions in Newport Beach, Calif., explained that though Microsoft used XP SP2 to tighten down the Local Machine Zone with the recommendations PivX Labs made in 2003, the "LMZ lockdown has a per-process exception list in which HTML Help is included."
"I successfully reproduced this exploit on a fully patched XP SP2 installation and can verify that [the exploit] is planted locally after which HTML Help is used to launch it and circumvent the XP SP2 browser security improvements, compromising the system," Larholm said in an e-mail interview. "MS04-038 does not patch the Drag'n'Drop problem directly, instead it tries to prevent its use by limiting the types of files that can be used in DYNSRC. As http-equiv demonstrates in his original post, this restriction could be circumvented."
No patch is available yet from Microsoft, but Larholm has a recommendation: "Setting the Kill Bit on the Shell.Explorer ActiveX object prevents IE from referencing local directories in a window object, whether it's through AnchorClick behavior or some other approach. Setting the kill bit only affects the use of Shell.Explorer inside Internet Explorer and will not have any negative side effects. We have had this in production use on thousands of client systems for months without any reports of functionality impact."
"As to disclosure," http-equiv said in an e-mail interview, "[the exploit] is pretty well by design to be interactive enough to not be considered a 'threat' as I see it and I am sure others will not share that viewpoint. Having focused for years on actual non-interactive (no user input other than viewing an e-mail or Web site) remote compromises, this designed demo requiring user input is basically boring."