14 DAY TRIAL // A proof-of-concept attack against Internet Explorer demonstrates how a patched vulnerability can be exploited in order to take over the victim's computer. The demo, hosted on Hustlelabs, comes courtesy of three security researchers, Mark Dowd, Ryan Smith, David Dewey, who are scheduled to present the attack in detail at Black Hat 2009 in Las Vegas. Black Hat participants can get a more hands-on experience with the attack via The Language of Trust: Exploiting Trust Relationships in Active Content presentation.
Microsoft has already patched the Video ActiveX Control vulnerability (CVE-2008-0015) with the release of Security Bulletin MS09-032. The security update package brought to the table a Cumulative Security Update of ActiveX Kill Bits, and was designed to patch a vulnerability already exploited in the wild.
“The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explains in the security bulletin.
The Redmond company noted that the vulnerability was rated Critical only for Windows XP, and just Moderate for Windows Server 2003, with all newer Windows releases, including Windows Vista and Windows 7, not affected by the security flaw. Still, even Vista and Windows 7 received the security update, in a move that Microsoft referred to as defense-in-depth.
“A remote code execution vulnerability exists in the Microsoft Video ActiveX Control, msvidctl.dll. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user,” the software giant explained.
In the Hustlelabs video (via The Register) you will be able to see that the security researchers are exploiting the patched vulnerability in Internet Explorer 8. Essentially, the attack demonstrated manages to bypass the ActiveX killbits set in place by the Redmond company. Today, July 28th, Microsoft will release an out-of-band security update patching vulnerabilities in Internet Explorer and Visual Studio. The patch, which does not fall within the pattern of releases of the company's monthly patch cycle, is designed to bulletproof Windows users against attacks that will use the same exploit and killbit circumvention techniques used in the Hustlelabs video.
"When Internet Explorer calls CoCreateInstance with a class id of a control that has been killbitted, something that should never happen, then the ProgID of the control is logged in the killbit allow log," the researchers noted in the video. "If the killbit is set, it should never be allowed to load in Internet Explorer...ever...much less execute shell code that runs calc.exe."
And yet, by exploiting the patched vulnerability in Microsoft’s MPEG2TuneRequest ActiveX Control Object, the security researchers are indeed able to execute shell code, namely to launch Calculator.