Internet Explorer Zero-Day Discovered, Metasploit Module Released

A new 0-Day IE exploit puts a lot of internet users at risk. According to Rapid7 (creator of the Metasploit testing platform) the new zero-day, discovered by security researcher Eric Romang, affects IE 7,8 and 9 on Windows XP, Vista (Anyone really use that anymore?) and Windows 7.

The Zero-Day was found when Eric was analyzing a machine that was infected with “Poison Ivy” a malicious remote administration tool (RAT). Apparently the 0-Day was actually used to install Poison Ivy, possibly by the “Nitro” hacker gang.

Check out the video Eric made (above) and his website for more information.

Microsoft urged users to use their free security tool, the Enhanced Mitigation Experience Toolkit (EMET). Rapid7 countered this saying that the stop-gap does not work well in all circumstances and should switch to another browser until a security patch to IE is released.

Rapid7 also released a Metasploit module (pictured above) so corporate security teams could test their networks to see if they are vulnerable to the exploit. All Metasploit users need to do is just update their install and the module will be pulled down. Backtrack users can simply run “msfupdate”.

State Sponsored IE Vulnerability and a 4 Line MySQL Exploit

Some interesting news has come out in the last week about two serious Internet Explorer vulnerabilities and a MySql vulnerability that can be exploited by a four line exploit!

IE VULNERABILITES

Of the two latest Microsoft IE vulnerabilities, CVE-2012-1889 and CVE-2012-1875, the first seems the most interesting. Rumored to be “State-Sponsored” the vulnerability seems to focus on users using Gmail, MS Office and Internet Explorer. And as yet is still an active Zero Day exploit. Security software company Rapid 7 explains the vulnerability as follows:

“This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be “state-sponsored”, and what makes it really critical is it’s still an 0-day hijacking Gmail accounts. That’s right, that means if you’re using Gmail as well as Internet Explorer or Microsoft Office, you’re at risk. We expect this vulnerability to grow even more dangerous since there’s no patch, and it’s rather easy to trigger.”

The second IE exploit has been patched, but as yet there is no patch for CVE-2012-1889. Microsoft does offer a “FixIt” program as a work around until an official patch is released.

Rapid 7, the creative geniuses behind Metasploit, have already released exploit modules for both IE vulnerabilities so you can test your systems to see if they are vulnerable to the attack.

MySQL VULNERABILITY

Earlier this month, an advisory about a serious vulnerability in MySQL and MariaDB was released. According to a post on Seclists.org a situation exists where an attacker may be able to trick MySQL in allowing you to log in without a password by repeating log in attempts:

When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not.  Because the protocol uses random strings, the probability of hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.

Security Expert David Kennedy (aka ReL1K) has released a four line Python exploit script to test for the vulnerability. Other sites say that the vulnerability can be written in a single shell line! Metasploit has released a module that uses the Authentication Bypass to dump usernames and password hashes from the MySQL server.

Fortunately only certain versions of MySQL and MariaDB are vulnerable. Check the security advisory for more information.

So what is IPv6 Anyways, and why Should I care?

TCP/IP is the communication protocol that the internet and most computer networks use. Even a lot of phones use it now. It is basically the language that systems use to talk to each other.

The current version of the protocol that we are using is IPv4. IP stands for “Internet Protocol”, and it is the 4th revision of the language.

Every device connected to the internet has an address so it can be found by other systems. It is called an IP Address.

A sample address is 72.43.32.2
If you type this address into your web browser you will end up at iCorning.com.

One of Google’s several addresses is 74.125.225.18
Same thing, if you type this in, you end up at Google.

A system exists called DNS that converts these numbered addresses to the more human readable addresses that we are used to using.

When IPv4 was created it allowed for about 4.3 billion addresses. Which seemed a lot at the time, but this was a long time ago, before there were smart phones and internet connected devices, and before many third world countries were starting to hook systems up to the web.

Now, new IPv4 addresses are all but depleted.

IPv6 was created to fix this issue, and to address some of the security issues in IPv4. There are 2^128 IPv6 Addresses, that is, oh roughly:

340,282,366,920,938,463,463,374,607,431,768,211,456 unique IPv6 adresses.
So we shouldn’t be running out anytime soon.

They look something like this:
fe80:0000:0000:0000:ad64:ca16:cf86:6ec6

The problem is that the US is switching to IPv6 very slowly. I believe that we are behind China and Japan in the switchover. And many US companies have no immediate plans to even make the transition. Google currently has a single Linux box set up to handle the IPv6 Google traffic. But eventually we will all be using IPv6.

This is a response that I wrote to a forum question about IPv6 on iElmira.com.

Microsoft wants you to stop using Internet Explorer 6

In a rare move by a software company, Microsoft has started a campaign to get users to stop using one of its products – IE 6.

Internet Explorer 6 is now 10 years old, and with growing compatability and security issues, Microsoft has started a website campaign entitled “The Internet Explorer 6 Countdown” to get users off the old browser. Current IE6 world wide usage sits at 12% according to the Microsoft site, and they want it to drop to less than 1%.

 Below is a break down of IE6 usage worldwide:

For more information check out the IE6 Countdown web page.