RealTime IT News

IE Workarounds For Zero-Day Exploit

Zero-day exploits are among the most traumatic events on the IT security landscape because they come without warning and by definition have no fix.

With the specter of such an exploit budding on Friday by a French security firm claiming that it found such an exploit in Microsoft's Internet Explorer, Microsoft quickly issued an advisory with workaround information.

French security firm FrSIRT titled the exploit, "Microsoft Internet Explorer "Msdds.dll" Remote Code Execution Exploit" and publicly posted Proof of Concept code on its Website in order to backup its claim.

An FrSIRT spokesperson told internetnews.com that an anonymous researcher who sent the exploit to FrSIRT first discovered the vulnerability.

FrSIRT did not first alert Microsoft about the vulnerability, which Microsoft does not consider to be responsible disclosure.

"We continue to encourage responsible disclosure of vulnerabilities," Microsoft's advisory on the issue states. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

FrSIRT's spokesperson explained that the researcher who discovered the issue decided to publicly disclose it. In accordance with FrSIRT's disclosure policy, the firm verified the information and then published the exploit on the FrSIRT website.

Microsoft Security Advisory (906267) said Microsoft is investigating the issue and is currently unaware of any attacks using the exploit.

The advisory explains that the Msdds.dll COM object, when called from a Web page viewed with IE could case IE "to unexpectedly exit."

"This condition could potentially allow remote code execution if a user visited a malicious Web site," the advisory states. "This COM Object is not marked safe for scripting and is not intended for use in Internet Explorer."

In fact, in the mitigating factors section of Microsoft's advisory, the company said only IE users with the affected COM object (Msdds.dll versions 7.0.6064.9112 and 7.0.9466.0) are vulnerable.

According to a US-CERT advisory on the issue (http://www.kb.cert.org/vuls/id/740372) IE users that have Visual Studio .NET 2002 installed on their systems are the users that are likely at risk. The at risk version of Msdds.dll does not ship with Microsoft Windows and is not part of Microsoft Office either.

Microsoft has offered a number of workaround in its advisory to further mitigate risk. Those workarounds include:

  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls in these zones;
  • Change your Internet Explorer to prompt before running or disable ActiveX controls in the Internet and Local intranet security zone;
  • Disable the Microsoft DDS Library Shape Control (Msdds.dll) COM object from running in Internet Explorer;
  • Unregister the Msdds.dll COM Object;
  • Modify the Access Control List on Msdds.dll to be more restrictive