WatchGuard Wire
Improve Your Security IQ
Why you need SP2: My experiences testing msdds.dll exploit code
Today, the media is abuzz about a new unpatched Internet Explorer (IE) vulnerability and the corresponding exploit code that someone let loose on the Internet. This newly-reported flaw lies within msdds.dll, a COM Object that ships with Microsoft Office and .NET Virtual Studio. By enticing you to a malicious Web site, an attacker could exploit this vulnerability to potentially gain total control of your computer. If you subscribe to LiveSecurity or LiveSecurity Informer, you can learn much more about this vulnerability, and how to protect yourself from it, in my latest LiveSecurity Alert.
However, here I share an experience I had testing the exploit code for this msdds.dll vulnerability. It has renewed my faith in some of the security features Microsoft implemented in Windows XP Service Pack 2 (SP2). The exploit code I used to reproduce this flaw was a perl script that generates a malicious Web page (you can find it on FrSIRT's site, but I won't "direct-link" the code). I performed my tests on a stock Windows XP SP2 machine from Fry's.
First, I ran the exploit code through perl to create my malicious Web page. Immediately, an antivirus (AV) warning popped up. The AV software said it had detected a trojan that exploited MS05-037 and wanted to delete my malicious Web page test file. What does this AV software warning have to do with SP2? Well, SP2 strongly enforces AV software. It hooks into most AV vendor's software and warns you whenever the software is not active or up-to-date. In other words, SP2 makes it really hard for you to use a computer without knowing whether your AV software is installed and working. To continue with my test I had to disable my AV software (which SP2 complained about. A lot.).
Next, I opened IE so that I could browse to my newly-created, malicious Web file. However, when I opened the file in IE nothing happened. Instead, IE informed me, "To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer." This IE security feature is just one of the many improvements you get when you install SP2. To continue my test, I had to tell IE not to block active content. It then asked me to confirm again, saying, "Allowing active content such as scripts and ActiveX controls can be useful, but active content may harm your computer." SP2's improved IE security settings make it really difficult to run malicious code accidentally.
Finally, when I turned off IE's security settings, my malicious Web page finally worked. It exploited the msdds.dll vulnerability, then attempted to bind a command shell to TCP port 28876. However, SP2's improved security features kicked in gear again, this time with built-in Windows Firewall. The SP2 firewall informed me that IE had tried to make an unauthorized connection that it had blocked. It asked me if I wanted to unblock it. Really, the firewall was blocking TCP port 28876, thus preventing an attacker from reaching my computer on that port and gaining total control via this exploit code. Firewalls are a must!
In the end, I learned the msdds.dll exploit code works and you need to be wary of it, especially if you don't use XP SP2. However, I also learned that SP2's improved security features really can work. It keeps throwing security wrenches into an Internet attack's gears. Add a WatchGuard Firebox to the mix at your gateway and now you're talking! This is what "defense in depth" is all about.
Regular readers of the Wire know that we point out Microsoft's security shortcomings whenever we think it's appropriate. It seems only fair to also mention when Microsoft security works against a scary real-world attack. If you haven't installed XP SP2 yet, my exploit code testing experience suggests you should do so as soon as you can. -- Corey Nachreiner
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
