21

Jan

MS Patch released: MS10-002 IE 0-day

by: Zarex dela Cruz, CISSP, CISA on Thursday, January 21, 2010 1:13 PM
 

Just finished attending McAfee’s monthly Hacking Exposed Live Special Edition to cover the “Operation Aurora”, which I talked about in my yesterday’s post. As always, Stuart McGlure demonstrated a simple and quick exploit to show how easy it is for this exploit to be executed in a vulnerable system.

In McGlure’s demo, he accessed his customized website using IE-6, which is vulnerable to the attack and showed how the exploit is downloaded to the machine, saved, decoded, and ran. Exploits like these make it really scary for everyone because it does not even require the end user to perform anything such as clicking or downloading something.

To make things worst, the downloaded file was a jpg (or could be gif, png). To some, it could just be a simple image file, but it is actually an executable file. The process is automatic. The jpg file is downloaded, repackaged, and then the binary is executed. The payload could be anything as installing a backdoor Trojan that sits in your computer to steal information, or it could be a nasty virus that wipes out your entire drive.

While I’ve been stressing enough to everyone to be aware about clicking links from emails or visiting suspicious websites, sometimes at the end of the day, it boils down to how your system is configured for protection. What are your protections, walls, or shields from these evildoers? Do you have your system locked down, updated, or patched?

PATCH. One best step to do is to patch your system so you are not vulnerable. Today, Microsoft released an out-of-band security patch to addressed this zero-day vulnerability. I highly recommend you to install this patch as your first line of defense. Here is the link: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx. Again, do not install any third-party patches. Trust only the one that comes from vendor. Currently, I am attending the Microsfot’s Out-of-Band Security Release bulletin webcast, which they covered what is included in this patch.

BROWSER. It is discovered that other versions of IE, not only IE-6 could be vulnerable to this attack. So, it is not a bad idea to use an alternate browser like Firefox, Opera, or Chrome. I might also include your favorite email clients such as Outlook can easily launch the attack too, since email is displayed in HTML. So be aware of all the avenues where this attack can get through.

DEFENSE. For home users it is highly advised that you have an antivirus software and an up-to-date virus definitions. Having host firewall or IPS (Intrusion Protection System) also adds more layer of protection. In the corporate world, taking advantage of the powerful features of your Firewall, Proxy, nIPS, hIPS, and your Antivirus is very crucial.

Inline proxies can block those file downloads that are suspicious or deemed infected, thereby, protecting the corporate users. With a good signature and inline IDS, you can also block or drop these type of attacks or traffic. Likewise, an updated Antivirus can catch this before it can wreak havoc. Multiple lines of defense implemented correctly can provide you or your company a better protection mechanism.

So again, download and install the patch now, it is available from the link above; update your antivirus – protect yourself!

1 Response to MS Patch released: MS10-002 IE 0-day

  1. Angel says:

    January 23rd, 2010 at 5:46 AM

    Good information on the recent threat IE 0-day. Thank you

Leave a comment