IE Workarounds For Zero-Day Exploit

Zero-day exploits are among the most traumatic events on the IT security
landscape because they come without warning and by definition have no fix.

With the specter of such an exploit budding on Friday by a French
security firm claiming that it found such an exploit in Microsoft’s Internet
Explorer, Microsoft quickly issued an advisory with workaround information.

French security firm FrSIRT titled the exploit, “Microsoft Internet
Explorer “Msdds.dll” Remote Code Execution Exploit” and publicly posted
Proof of Concept code on its Website in order to backup its claim.

An FrSIRT
spokesperson told internetnews.com that an anonymous researcher who sent the exploit to FrSIRT first discovered the vulnerability.

FrSIRT did not first alert Microsoft about the vulnerability, which
Microsoft does not consider to be responsible disclosure.

“We continue to encourage responsible disclosure of vulnerabilities,”
Microsoft’s advisory on the issue states. “We believe the commonly accepted
practice of reporting vulnerabilities directly to a vendor serves everyone’s
best interests. This practice helps to ensure that customers receive
comprehensive, high-quality updates for security vulnerabilities without
exposure to malicious attackers while the update is being developed.”

FrSIRT’s spokesperson explained that the researcher who discovered the
issue decided to publicly disclose it. In accordance with FrSIRT’s
disclosure policy, the firm verified the information and then published the
exploit on the FrSIRT website.

Microsoft Security Advisory (906267) said Microsoft is investigating the issue and is currently unaware of any attacks
using the exploit.

The advisory explains that the Msdds.dll COM object, when called
from a Web page viewed with IE could case IE “to unexpectedly exit.”

“This condition could potentially allow remote code execution if a user
visited a malicious Web site,” the advisory states. “This COM Object is not
marked safe for scripting and is not intended for use in Internet Explorer.”

In fact, in the mitigating factors section of Microsoft’s advisory, the company said
only IE users with the affected COM object (Msdds.dll versions
7.0.6064.9112 and 7.0.9466.0) are vulnerable.

According to a US-CERT
advisory on the issue (http://www.kb.cert.org/vuls/id/740372) IE users that
have Visual Studio .NET 2002 installed on their systems are the users that
are likely at risk. The at risk version of Msdds.dll does not ship with
Microsoft Windows and is not part of Microsoft Office either.

Microsoft has offered a number of workaround in its advisory to further
mitigate risk. Those workarounds include:

  • Set Internet and Local intranet security zone settings to “High” to prompt
    before running ActiveX controls in these zones;

  • Change your Internet Explorer to prompt before running or disable ActiveX
    controls in the Internet and Local intranet security zone;

  • Disable the Microsoft DDS Library Shape Control (Msdds.dll) COM object
    from running in Internet Explorer;

  • Unregister the Msdds.dll COM Object;
  • Modify the Access Control List on Msdds.dll to be more restrictive
  • News Around the Web