Websites infect PCs via hole in Windows speech API
Symantec has announced that a security flaw in Internet Explorer 6 and 7 that was made public last Patch Tuesday is now being exploited to infect visitors of websites with contaminants. The flaw is found in the speech API used, among other things, by Internet Explorer for voice output. Specially crafted data cause two of the ActiveX controls required for this API - XVoice.dll and XListen.dll - to overflow buffers. These can then be exploited to overwrite a pointer to a Structured Exception Handler with a reference to arbitrary code, which is then launched.
While the two exploits for Internet Explorer 6 on Windows 2000 SP4 and XP SP2 have been publicly available for almost two weeks, until now no websites have been known to exploit these holes. While the demo exploits allegedly only install an additional user account (user: sun, password: tzu), Symantec indicates that the websites inject shell code that apparently installs additional programs. The security provider does not, however, say how many users are affected. At the moment, the attack seems to have a limited scope.
Users of Windows XP SP2 should have already received the updates automatically; users of Windows 2000 with SP4 will have to download and install the patches manually or run the Windows Update to protect themselves.
The vulnerability also potentially affects Internet Explorer 7, though it is not yet clear whether the exploits currently in circulation also work on that version. Microsoft has itself categorized the vulnerability as "critical" for Vista, which also suggests "remote code execution". In contrast, the problem is only categorized as "moderate" for Windows Server 2003. Apparently, the numerous security functions added to Vista are not able to prevent users from being infected when they visit a specially crafted website.
Since Vista was released almost six months ago, Microsoft has closed seven critical holes (MS07-010, MS07-017, MS07-021, MS07-027, MS07-033, and MS07-034 for two flaws) that the software vendor believed would allow malicious code to be executed. Usually, users only needed to visit a manipulated website or receive an e-mail for the vulnerability to be exploited. Only last week, Jeff Jones, Security Strategy Director for Microsoft's Trustworthy Computing Group, stated that his analysis showed that Vista had proven to be safer than many Linux distributions and Mac OS X over the first six months because fewer patches had had to be released for exploitable holes. Unfortunately, it is doubtful that the number of patches published truly reflects the level of security provided.
- DeepSight HoneyNet Detects Obfuscated Attacks for MS07-033 and Xunlei WebThunder, Symantec's advisory
- Microsoft: Vista more secure than Linux and Mac OS X - in the beginning, report at heise Security