Old DoS vulnerability in Internet Explorer turns into giant hole
The Month of the Browser Bug (MoBB) is still sending out ripples, even two months after its conclusion. H.D. Moore has now released an exploit for a DoS vulnerability in Internet Explorer that was announced back in July. It can be used to plant and launch arbitrary code onto a fully patched Windows XP SP2 machine. Tests by the heise Security editorial staff using the Metasploit module showed that the exploit did not function correctly with every attempt, but that it nevertheless functioned.
The flaw is based on a buffer overflow contained in the ActiveX control WebViewFolderIcon (webvw.dll) in the setclice function. Two months ago, it was assumed that the error could be only be used to crash Internet Explorer. However, even at that time H.D. Moore speculated that the hole could also be used for "Remote Code Execution," -- and now he's proved his theory. Just how many of the 25 DoS holes in Internet Explorer uncovered during the MoBB that might potentially turn into greater threats, remains unclear.
Two days after the unscheduled patch release for the VML hole, two unpatched holes still remain in Microsoft's browser. For the hole in the DirectAnimation control that is already being exploited by crimeware gangs, an advisory from the Redmond company's specialists recommends setting the corresponding kill bit to deactivate it until a patch is made available. Unfortunately, no advisory has been released as yet for the Webview hole. A vulnerability note from US-CERT recommends that users also set the kill bit for the Webview control. The CLSID of the control is {844F4806-E8A8-11d2-9652-00C04FC30871}. Users who do not need the control can save the following text into a file along the lines of webview_deakt.reg:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}] "Compatibility Flags"=dword:00000400
A double-click adds the entry to the registry. Inexperienced users should not attempt to perform this workaround, and are instead advised to completely deactivate ActiveX in Internet Explorer, or to move instead to an alternate browser, like Firefox or Opera.
- Microsoft Windows WebViewFolderIcon ActiveX integer overflow, warning from US-CERT
- MSIE SetSlice Vuln, Blog entry by RioSec
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
