etee's Blog

The boys and girls at FrSIRT have done it again. Earlier this week, they published a security advisory along with exploit code of a vulnerability in an ActiveX(ploit) module named "msdds.dll" when instantiated in Internet Explorer. A number of sites in the infosec community raised the alarm, and yesterday Microsoft released a Security Advisory, describing workarounds, and in which they repeat their oft-heard vent that

Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Normally, I would be inclined to agree with them. However, in this case, they have already released not one, but two (MS05-037 and MS05-038) patches for essentially the same vulnerability (ActiveX objects that shouldn't be instantiatable inside of IE were; and doing so could result in remote code execution) in the past 2 months, so despite the hype this is not really a "zero-day" exploit. And, to be quite honest, after the MS05-038 patch (where the "kill bit" was set for a whole slew of ActiveX(ploit) objects), the bad guys were bound to run through the list, and see what other exploitable goodies MS forgot to take out.

One good thing about this one is that the major anti-virus vendors appear to already protect against this exploit, since it is so similar to others they already protect against.

So, expect another IE patch from MSFT next month on "Microsoft Tuesday" for this one. And, as always, practice safe surfing, and keep your A/V signatures up to date.