MS-DEFCON 2: Problems with the patches – and an exploitPosted on February 18th, 2009 at 08:49 10 comments
Trend Micro notes that their researchers have found a very limited, targeted exploit for the Internet Explorer 7 hole patched last Tuesday by MS09-002.
Details are sketchy, but this is what I’ve been able to figure out so far. The exploit arrives in the form of a Word document, attached to a piece of spam. The spam is highly targeted – which probably means Trend Micro has only seen it on mail addressed to one organization.
The bad document is caught by Trend Micro and flagged as a virus. If you insist upon opening the doc, it includes ActiveX controls which are (surprise!) fed to Internet Explorer. If you have IE 7 installed on your computer, you’re vulnerable.
I have no idea how the ActiveX controls kick in – if you have to click something, or if merely opening the doc is sufficient. I also have no idea what happens if Firefox is your default browser – Firefox doesn’t recognize ActiveX, of course. Lots of unanswered questions. But the bottom line is that Trend Micro has seen a bad .DOC file that takes advantage of the hole patched by MS09-002.
Susan Bradley at Windows Secrets Newsletter has discovered that installing last Tuesday’s Killbit patch, KB 960715 can make some Visual Basic programs toast.
I suggest that you continue to wait to install last Tuesday’s patches.
10 responses to “MS-DEFCON 2: Problems with the patches – and an exploit”
wow. pretty. Easy to read for still new-ish.
Hans Peter Guttmann February 22nd, 2009 at 12:21
Among the programs toasted by the Killbit patch, KB 960715 is ‘Enveloper’ in WOPR 2003.
Uninstalling the patch restored 100% functionality to Enveloper on Vista Ultimate SP1 32 + 64-bit systems.
Yeah, I know â€” 2003: time and times move on, but Enveloper remains a component of Word I use almost daily.
Great new format! I’m an IT professional and I refer to this site daily so massive kudos on the changes. Thanks. Paul
Yuhong Bao February 25th, 2009 at 12:46
“Susan Bradley at Windows Secrets Newsletter has discovered that installing last Tuesdayâ€™s Killbit patch, KB 960715 can make some Visual Basic programs toast. ”
Do you know what a killbit is? If you don’t know, a killbit prevent execution of an ActiveX control in IE. The reason MS pushed out kill-bits in an update is that older versions of the killed ActiveX controls have security vulnerablities. Usually by the time MS releases a kill-bit update, the vendor already has released the security update for the control that fixes the vulerablity, which uses a Phoenix-bit to redirect attempts to load the old version to the new version. For example, one of the ActiveX controls that was killed by this kill-bit update was old versions of the ActiveX controls that shipped with VB6, which already was patched in MS08-070. So the remedy for this one is for the developer to install MS08-070 or KB957924 on their development machine, then redistibute the new version of the ActiveX control.
Yuhong Bao February 25th, 2009 at 12:50
MS have a FAQ on the kill bits and phoenix bits:
OY! And Microsoft’s solution involves re-compiling the application. Whotta mess.
Yuhong Bao February 25th, 2009 at 22:13
“OY! And Microsoftâ€™s solution involves re-compiling the application. Whotta mess.”
No, just repackaging with the new version of the ActiveX controls.
vpone June 16th, 2009 at 22:29
no Yuhong, if you were using ANY of these activex controls on a webpage you now must repackage the .lpk file with the new clsid – only problem is it reverts back to the original clsid of the control –
microsoft screwed up bigtime here !
vpone June 16th, 2009 at 22:31
more info from your link
“Typically, you can use the LPK Tool to create a license package. Unfortunately, you cannot do so in this case because the new CLSIDs for the kill-bit/phoenix bit are hidden on your development machine. Only the legacy CLSIDs are available. In this case, you would need to contact Microsoft Support to generate an LPK file for you.”
typically microsoft support costs $259/incident
True – but if you can PROVE that it’s associated with a security patch, it’s free.
That’s a big “if” of course.
Leave a reply