To Customer Support To Customer Support

Drive-by 'unicorn' 0day beats EMET, burns Windows from 95 to now

  • 12 November 2014
  • 9 replies
  • 4 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

Researcher explains why 19 year old Windows bug is especially nasty

By Darren Pauli, 12 Nov 2014  Researcher Robert Freeman has identified an 18 year-old critical remotely-exploitable hole affecting all versions back to Windows 95.
The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare "unicorn-like" bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks.
 The bug bypasses Redmond's lauded Enhanced Mitigation Experience Toolkit along with Enhanced Protected Mode sandbox in the flagship browser and was patched today some six months after it was reported, IBM's Freeman said.
"This complex vulnerability is a rare, 'unicorn-like' bug [that can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine," Freeman said.
"In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years
 
Full Article
 
 
More information in this article:- 18-Year-Old Remotely Expoitable Vulnerabililty in Windows Patched by Microsoft

9 replies

cohbraz
Rank
Userlevel 7
Wow. That is quite an old bug for it to have persisted this long without being recognized.
shorTcircuiT
Rank
Userlevel 7
Another nail in the coffin for those who have not yet migrated off of WIndows XP.  
cohbraz
Rank
Userlevel 7
@ wrote:
Another nail in the coffin for those who have not yet migrated off of WIndows XP.  
It is frightning the number of those XP systems still in use, in critical situations. 
shorTcircuiT
Rank
Userlevel 7
Yes it is Corey.  While there are far fewer now than a year ago, there are still far too many in the corporate workspace world, and then how many embedded OS systems are still on XP?
ProTruckDriver
Rank
Userlevel 7
@ wrote:
@ wrote:
Another nail in the coffin for those who have not yet migrated off of WIndows XP.  
It is frightning the number of those XP systems still in use, in critical situations. 
Yea I agree. Monday when I see my Doctor I noticed that he was still running Win XP. I confronted him about using Win XP and talked about 5 minutes on computer security, since my information is on his computer it's not secure running Win XP. He thanked me and told me that he maybe knowledgeable at being a doctor but I was knowledgeable at computer security. Wow that made me feel good. He's going to the higher ups to get all the computers upgraded ASAP in this large building with many doctors. (I did mention Webroot several times, ;) )
Late 2015 ~ 5K ~ 27 inch iMac ~ macOS Catalina 10.15.7 ~ Clone & Backup with: SuperDuper - Time Machine & iCloud. PWM: RoboForm.  "An Apple a Day, Keeps Microsoft Away." 
shorTcircuiT
Rank
Userlevel 7
Well done Dave!  And that is exactly what we should ALL be doing when we see something like that.  I admit...I haven't.  I will start doing so now.
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
An excellent article concerning this bug.
 
November 17, 2014 | BY Jérôme Segura
 
EXCERPT
 
It is worth noting that Microsoft has offered a patch for its currently supported operating systems, but not for Windows XP and of course any of its precursors.
It is quite hard to believe that such a critical flaw has existed and survived for so many years considering the natural evolution in software development. The fact that Internet Explorer still supports VBScript to ensure backward compatibility is certainly part of the problem.
However, if we consider this page, Microsoft is moving away from VBScript:
As of Internet Explorer 11, VBScript is considered deprecated and should no longer be used as a scripting language for IE11. Webpages displayed in IE11 edge mode won’t execute VBScript code.
Because VBScript is no longer supported for IE11 edge mode, the following API features are no longer available to webpages:
The execScript function.
The VBArray object.
The “text/vbs” and “text/vbscript” MIME types (as supported type values for script elements).
According to the researchers at IBM X-Force, we might see more bugs that relate to arbitrary data manipulation like this one, as opposed to buffer overflows and user-after-free vulnerabilities.
 
Full Article
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
Posted on 21 November 2014. Last week, in its regular Patch Tuesday, Microsoft patched a number of serious vulnerabilities, including one that is nearly two decades old, dating back to Microsoft IE 3.0.

Discovered by the IBM X-Force Research team, the bug (CVE-2014-6332) can be exploited in drive-by attacks to take over the user’s machine, as it allows attackers to sidestep the Enhanced Protected Mode sandbox in IE 11 as well as the Microsoft's free EMET anti-exploitation tool.

It didn't take long for someone to make publicly available a proof-of-concept exploit for the flaw, and it took even less time for this particular exploit code to be modified and used by cyber criminals. Full Article
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
There are more details coming out about this one as I type so this could be one of those articles that is in the news for several days to come.
 
By Eduard Kovacs on November 21, 2014
 
Security companies have started detecting attacks that leverage a critical remote code execution (RCE) vulnerability in Windows, which Microsoft patched last week.
Of the 14 security bulletins released by Microsoft on November 11, MS14-064 is one of the most important. The bulletin addresses a Windows Object Linking and Embedding (OLE) automation array RCE flaw (CVE-2014-6332), and a Windows OLE RCE bug (CVE-2014-6352).
CVE-2014-6352 had already been exploited in limited attacks when Microsoft released the patch, and experts have found that CVE-2014-6332 is also being exploited in the wild.
The CVE-2014-6332 vulnerability was reported to Microsoft in May by researchers from IBM. The company says the issue affects all versions of Microsoft's operating system starting with Windows 95. The vulnerability, which has been dubbed "Unicorn," has existed for at least 19 years, and it has been remotely exploitable since the introduction of Internet Explorer 3.0, which relies on the code affected by the bug.
 
Full Article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.