Direct Animation Overflow and IE7
A researcher posted a vulnerability against IE6 yesterday that uses random input to create a heap overflow in a Direct Animation object. Our team is testing a security update right now to fix this overflow, but in the meantime you can keep your systems safe from this vulnerability by disabling ActiveX controls in the internet zone. If you’re a desktop administrator responsible for a set of desktops, you can publish a more tactical fix by disabling the control. If you have the ability to set registry keys on user desktops, the following key will disable the vulnerable object:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400
The fact that the research community found this bug is a credit to them, evidence of the continued creativity going into tools like HD Moore’s metasploit. I admire their creativity but I do think a public disclosure is a missed opportunity to work together on the problem. Security researchers like Dan Kaminsky and Mark Litchfield want the same thing as the security engineering teams. Researchers want to find inventive new attacks and see their creations fixed elegantly by the security engineering teams. I welcome and challenge more researchers to come participate in the process, you can start with a mail to secure@microsoft.com.
The good news in yesterday’s disclosure is that IE7 is safe against this attack and many of the other recent attacks on IE6. The input of the security community had a deep impact on the security strategy for IE7. As we worked with researchers to strengthen the core of the IE7 codebase against threats, we also eliminated threats on the periphery by reducing the attack surface that we expose to malicious websites. Most notably, IE7 reduces attack surface by disabling most ActiveX controls on the system by default. We actually went a step further with Direct Animation control and effectively remove it when you install IE7.
While we’re reducing the attack surface from ActiveX, pragmatists will realize that ActiveX controls and other binary extensions are a part of client software for the foreseeable future. ActiveX controls are important and can be built just as safely as any other client code. I’m in frequent contact with the engineering teams for the most commonly used active controls on the internet like Adobe Flash, Apple Quicktime, the RealPlayer, WMP, the Sun JRE and Adobe Acrobat. They are also working with the security research community. They are making the same type of investments to strengthen their controls against attacks.
Some developers will re-enable less commonly used controls for particular scenarios on some systems. Since the default for most ActiveX controls in IE7 is off, the value of an ActiveX vulnerability like the one reported yesterday will start to approach zero.
Rob Franco
Lead Program Manager
Comments
Anonymous
September 15, 2006
You said: "I admire their creativity but I do think a public disclosure is a missed opportunity to work together on the problem."
HD Moore did disclose this to you privately; it's not his fault you didn't fix it before someone else found it.
http://www.securityfocus.com/archive/1/446085/30/0/Anonymous
September 15, 2006
Steve is right and yes, the ISC reported about the problem back on September 1: http://isc.sans.org/diary.php?storyid=1661
Since I has been aware of the eploit, I offered a ZIP file containing REG files to set and remove the "killbit" for the control/object: http://patch-info.de/IE/2006/09/01/ - warning, that's a German writeup ;-)
Bye,
FreudiAnonymous
September 15, 2006
Why when ever there is a security breach do microsoft start off by implying that its not their fault but the person who posts it. If I left a key under the door mat to my house and the house got robbed, I would blame myself. Microsoft would blame the nosey neighbour with a blabber mouth who told the thief.Anonymous
September 15, 2006
"We actually went a step further with Direct Animation control and effectively remove it when you install IE7."
Can you honestly claim that this decision - and its associated content breakage - was taken solely for security reasons? Just interested.Anonymous
September 16, 2006
The comment has been removedAnonymous
September 16, 2006
The comment has been removedAnonymous
September 16, 2006
You guys don't bother to fix an exploit until it is publicly disclosed and there is an outcry...Anonymous
September 16, 2006
@Fduch, our security development and test teams review each bug reports to see if they are exploitable.
If you think they misjudged a bug or we're not casting a wide enough net, please send email to secure@microsoft.com.
@Fiery, fixing the bug is the first step and that's done. Testing the fix properly is maybe even more important.Anonymous
September 16, 2006
The comment has been removedAnonymous
September 16, 2006
The comment has been removedAnonymous
September 17, 2006
The comment has been removedAnonymous
September 17, 2006
Just some random vulnerability.
"Successful exploitation allows an arbitrary file on the user's system to be uploaded to a malicious web site, but requires that the user types a text containing the characters of the filename."
More than 3 months old.
Unpatched.
I think it would remain unpathched for at least a year.Anonymous
September 17, 2006
@fduch
Dat does bnot sound like a very critical vunerability. Surfing to a website and filling in the name of a file on your system and then having that file uplad to that system seems difficult to exploitAnonymous
September 17, 2006
The comment has been removedAnonymous
September 17, 2006
The comment has been removedAnonymous
September 17, 2006
The comment has been removedAnonymous
September 17, 2006
I want to know if anything is being done about IE7 crashing to desktop. I have this problem many times per day, so do my workmates. I has a fresh and updated install of XP Pro, then installed IE7. It crashes to desktop at least every second time i open it, does anyone else have this issue???? And yes it sends an error report.Anonymous
September 17, 2006
"I do think a public disclosure is a good opportunity to get the attention of people that know the problem."
The spelling and grammar check is complete.Anonymous
September 18, 2006
"The good news in yesterday’s disclosure is that IE7 is safe against this attack and many of the other recent attacks on IE6."
Just one more reason to consign IE 6 to history as soon as practical. Get IE 7 out there now. Trying to repair IE 6 is like trying to patch wet toilet paper!Anonymous
September 18, 2006
I know the previous answers to this question: "4th Quarter".
Well we're already in the 4th Quarter, so pls answer the question in "weeks" this time.
RegardsAnonymous
September 18, 2006
If you were actually finding flaws on software for the sole purpose of helping the community, then you would not release it to the public -ever-.
Too many people assume simplicity in fixing a bug.Anonymous
September 18, 2006
The comment has been removedAnonymous
September 18, 2006
@hAl:@fduch
>Dat does bnot sound like a very critical >vunerability. Surfing to a website and >filling in the name of a file on your system >and then having that file uplad to that >system seems difficult to exploit
YEEEEEEEEEEEEEEEEEES!!!!!!!!!!!!!!!
You've said it.
There is even a proof of concept exploit.
But all you say is "it's difficult to exploit. Why bother patching it?"
Just like Microsoft says!
And imagine gouing to some site that requires you to fill some info. There are files with known names that contain valuable information. (+ attacker can disclose filenames through other UNPATCHED vulnerabilities). There is a hidden file upload field. While you are filling in the data of just randomly mashing the keyboard the script collects letters. Then the file is easily uploaded to attacker.Anonymous
September 18, 2006
The comment has been removedAnonymous
September 18, 2006
Internet Explorer 6 with XP SP2 is requiring the awaited update, because installing Windows Live Toolbar in IE6 as above makes a very fast browser, which has a phishing filter. I think speed is important for effective browsing, and I have not found IE7 able to pace IE6 for speed. You can get a download to stop IE7 being installed. Let's hope MS can write what is being discussed, because a default setting is involved.Anonymous
September 18, 2006
Fduch:
I was talking about the case where 'GoodGuy' discovers the exploit. So no one is abusing it yet.
So when 'GoodGuy' releases the exploit, suddenly ScriptKiddy and BadGuy know how it works, so BadGuy writes a Script. ScriptKiddies all around the world download it and suddenly everyone is having problems because GoodGuy thought that releasing an exploit publicly would be a wise decision.Anonymous
September 18, 2006
@Aedrin
In security often different people come to same ideas.
For example I see that some new worms using some of my 3 years old ideas.Anonymous
September 18, 2006
I hear IE7 final will be released next month? Does anyone know when it's coming out?Anonymous
September 18, 2006
The comment has been removedAnonymous
September 18, 2006
@PatriotB "But do Java or .NET meet the performance requirements for, say, playing streaming video or fancy animations? I think the answer is no; even WPF/Avalon, which has portions written in managed code, has portions written in native code as well."
Yes, .Nets does meet the requirements. There is managed DirectX. There is WPF. There is me, who builds my own voxel graphics engine in .Net.
.Net will always use native code co communicate with the system. But I can say that Framework is rather safe. It communicates with native code in secure way.
SO I think that allowing/demanding using .Net scripts/controls is a good thing. They just need to make a good warpper around IE functions.
Hope they'll do it before I die.Anonymous
September 19, 2006
@Darrin: Please try the steps in the first section of this page: http://www.enhanceie.com/ie/troubleshoot.aspAnonymous
October 05, 2006
PingBack from http://yellow5.us/journal/convergence/Anonymous
June 13, 2009
PingBack from http://barstoolsite.info/story.php?id=7636