0day

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

The fourth 0-day vulnerability (after this one and these) in only two weeks has just appeared and it is targeting one of the most used plugins: the Flash Player from Adobe which is used to make web sites visually appealing, to watch videos on YouTube, to play online games, …

What do we face:

• A critical vulnerability in the Flash player (at least in version 9 and 10) which can be exploited from all browsers and OS when accessing a compromised website (drive-by attack) or when viewing a malicious PDF using Adobe Acrobat Reader ;
• Both exploitation methods have already been seen in the wild ;
• No mitigation methods except removing the Flash player or some of its components ;
• Javascript desactivation will not protect against all kind of exploitation ;
• Adobe will not release security updates until July 30.

What do you do ?

A new 0-day vulnerability in Microsoft’s ActiveX Video Control puts, once again, the focus on browser security. Thousands of web sites (most are compromised) are already used to exploit this vulnerability and take control of the user’s workstations.

Microsoft has already published a security advisory and a technical analysis on its security blog, but no security update. The only workaround is to use the famous Kill-bit to disable this ActiveX control (or to surf using another browser than IE…). Still, Microsoft deserves a red card because the CVE number (CVE-2008-0015) and its creation date prove that they were aware of this vulnerability since 18 months.

At commonIT, our virtualized browser product, Virtual Browser, can protect users, by design against these kinds of attack. Indeed, even when using the Internet Explorer rendering engine, the successful exploitation of this vulnerability will not take ownership of the user’s workstation or company network or other trusted web applications. Any malicious code will be automatically destroyed when the user closes the window. Stress-free Internet?