Wednesday, July 15, 2009

Bad browser juju

Both Internet Explorer and Firefox have new exploits targeting them - different exploits for different browsers.

Internet Explorer - Really, you should just stop using it. If you absolutely must, your next best option is to disable ActiveX entirely; the new exploit targets an ActiveX Control, and is the second one in a month. As The Register puts it, Swiss Cheese browser gains another hole:

The timing of the advisory, a day before Microsoft's monthly Patch Tuesday update, suggests it's highly unlikely that a fix will become available until August at the earliest.

Monday's advisory adds to the list of pending Internet Explorer vulnerabilities, most notably an unpatched flaw in Microsoft Video ActiveX Control that has become the target of widespread exploitation since earlier this month. The flaw is particularly serious because Internet Explorer users can get hit simply by straying onto a hacker-controlled website, providing they are running Windows XP. Vista, as with the latest ActiveX bug, is far less susceptible.

Actually, that's a bit unfair to swiss cheese ...

IE users need to go to Tools -> Internet Options. Select the "Security" tab, and then click "Custom level". Make sure the following under "ActiveX Controls and Plugins" are disabled:
  • Allow previously unused ActiveX Controls to run without prompting
  • Allow scriptlets
  • Download unsigned ActiveX Controls
  • Download signed ActiveX Controls (this is the biggie, and is almost certainly enabled by default)
  • Initialize and script ActiveX Controls not marked safe for scripting
  • Run ActiveX Controls and plug-ins (this is the other biggie)
  • Script ActiveX Controls marked safe for scripting (the third biggie)
Note that you'll break some web sites that rely on ActiveX. However, it's simply not safe: the controls being exploited are written by Microsoft, and they're considered safe for scripting (they're the Microsoft Office Web components). Breaking ActiveX is the point. This is why I suggest shifting to Firefox.

Firefox - If you switch from Internet Explorer, make sure to go to Firefox 3.0, not 3.5, because there's an attack targeting some code that's new in 3.5. Important: if you are running Firefox 3.0.x, you're fine; the exploit will not work against you. If you're running 3.5, you are vulnerable.

Brian krebs at Security Fix has instructions for protecting your Firefox 3.5:
Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.
The smart money is betting that there's a Firefox fix later this week, while Internet Explorer may be updated next month (may be - there's no guarantee for ActiveX Controls).

Brian Krebs has an information-rich post about the Internet Explorer vulnerability; seems it's being exploited by hundreds of compromised web sites that are serving up malware to pwn you longtime. I can't emphasize too strongly that you are probably not securable if you run Internet Explorer. If you haven't already, just switch to Firefox. Really.

UPDATE 15 July 2009 14:13: If you are using a version of Firefox earlier than 3.5, you are NOT vulnerable. So if you're currently on 3.0.5, you're safe from this. This is a vulnerability in new code that was added in 3.5 to make Javascript rendering faster. 3.0.x versions don't have this code, so you don't have the problem.


Buck said...

Where does Firefox 3.0.5 fall in all of this?

Borepatch said...

Buck, 3.0.5 is not vulnerable - this is only 3.5. I've added an update to clarify this.

Buck said...

That,s what I thought but wanted to sure. Your other post's finely convinced me to switch from IE. Thanks.

Borepatch said...

Buck, thanks for letting me know. I have to say that Microsoft has really been trying hard for some time now on security - much harder than, say, Apple. Unfortunately, they're patching a bad architecture.

Anonymous said...

Suck - the only reason I use IE is for my states unemployment web site to file a weekly claim (requires Active-X).

But, then again - it's also on a Virtual Machine... Roll back maybe...

Borepatch said...

Anonymous, that's a good strategy, as long as you revert to the original snapshot. Doesn't matter if you get pwned if the OS is automatically rolled back.

TOTWTYTR said...

Thanks again. I switched from IE back when Netscape was the only alternative and have never regretted it. Even thought IE 8 is pretty good, it's continues the MS tradition of being all vulnerable, all the time.

Ian Argent said...

The last several of these posts have exempted Vista users of IE. Wonder whether the maligned UAC has anything to do with that?

I get the thrust of this, but there's enough money in cracking machines now that if everyone, or even a fraction of the people you give the advice to do switch, Firefox will be pwned.

Finally, note that the current version of Firefox was exloited. Damned if you do, and damned if you don't. (A Problem with UAC, and I dislike the dialing down of the UAC with Windows 7 because it opened holes).

That isn't to say that MS is blameless in the security game (ActiveX I'm looking at you). But pushing people to upgrade to firefox in the same post that notes that the latest version of Firefox had an exploit? Yeah, sure, they'll have a patch out quicker than MS. Yippy.

Borepatch said...

Ian, you're correct that there is no panacea - there is a long history of vulnerabilities in Unix.

However, it's undeniable that Firefox is less of a security problem than IE. While the latest Firefox is indeed vulnerable, hundreds of web sites have been hacked and are serving up IE exploits.

Vista's UAC is a help, but is not keeping Vista from being added to the botnets - phishing attacks trick people to install malware even with UAC.

If you're running Linux, and if you use Firefox, you're not invulnerable. You are a much, much smaller target.

Ian Argent said...

You're a smaller target - as long as the market is smaller. As more people switch (which is happening and shows no sign of stopping), the relative payoff for targeting non-IE/Windows installs gets bigger. And there's big money in botnets and other explois now, money enough to make pwning machines a career. I work it tech support, and one of the things I have had to deal over the last year was a flood of DNS changer trojans on the Mac. The worst part of it was that the attack pattern on the mac is MUCH less sophisticated and stealthy on the Mac (on Windows the trojan burrows in and attempts to hide that the DNS servers have been changed, whereas on the Mac it's blatantly obvious). Nonetheless, I almost NEVER see this trojan affecting our windows customers, whereas it was a significant proportion of our mac tickets. This isn't an apples-to-apples comparison as the attack vector is pure social engineering (install our codec to see the bewbs) rather than a technical exploit. But I think it shows the kind of cargo-cult security mindset that non-technical users can have. Call it the seat-belt effect, if you will. Or security via obscurity, which only works until it's worth someone's while to break that obscurity.

Also, the July 6 DirectShow exploit appears to not affect IE 8 per Symantec via PCMag. That would seem to show that MS is FINALLY beginning to start taking security seriously.

Finally, don't think I'm trying to suggest Win/IE is more secure than the alternatives. It's usually less secure, mostly because users hate security. The only secure computer is one that is walled up in a closet with no console or power, and even then you can always take down the wall with demo tools:) But someone who switched from IE8 to Firefox 3.5 is more vulnerable to the exploit in the original post than I am running IE8 on Vista. (Per Symantec via PCMag - if that's changed I haven't seen anything on it). IE8 isn't bulletproof either - see the recent pwn2own contest (in which all major desktop browsers were exploited) and it would appear that it took MS 3 months to close the exploited hole. But it's not exactly swiss-cheese either.

(WV: reflogi - someone fetch me a dead horse?)