The first vulnerability affects Internet Explorer 6 to Internet Explorer 8 on all versions of the Windows operating system starting with Windows XP and ending at Windows 7 and Windows Server 2008 R2. Carlene Chmaj confirms that Microsoft has “started to see targeted attacks” and that customers should check the mitigating factors outlined in the security advisory.

The mitigating factors however describe that it is possible to reduce the impact of a successful exploit on the system but that it is not possible to block exploits completely which means that Internet Explorer users, with the exception of Internet Explorer 9 users, are vulnerable to this attack whenever they use the browser on the Internet. The Internet Explorer user needs to visit a specifically crafted web page to trigger the vulnerability which means that it is recommended to stay away from untrustworthy websites.

The second vulnerability that Chmaj mentioned in the announcement affects the graphics rendering engine which could allow remote code execution as well. The issue affects only some Microsoft operating systems, namely Windows XP, Windows Vista and their server variants Windows Server 2003 and Windows Server 2008. The latest operating systems Windows 7 and Windows Server 2008 R2 are not affected.

Microsoft at this time is not aware of attacks exploiting the vulnerability. The issue can only be exploited on a specifically prepared website or with email attachments that need to be opened by the user. A workaround was posted on the security advisory page that requires an administrator to issue commands on the command line (a Fix It solution is also available)

Modify the Access Control List (ACL) on shimgvw.dll

Note See Microsoft Knowledge Base Article 2490606 to use the automated Microsoft Fix it solution to enable or disable this workaround.

To modify the ACL on shimgvw.dll to be more restrictive, run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N

For 64-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N
Echo y| cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /P everyone:N

For 32-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)

For 64-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
takeown /f %WINDIR%\SYSWOW64\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL64.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /deny everyone:(F)

Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly.

How to undo the workaround:

Run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone

For 64-bit editions of Windows XP and Windows Server 2003:
cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /R everyone

For 32-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL.TXT

For 64-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64 /restore %TEMP%\SHIMGVW_ACL64.TXT

The last vulnerability, or set of, was discovered by Michal Zalewski. Browser vendors were contacted in July 2010 and as of now all have not completely managed to resolve the issues reported to them.

Mitigating factors help in limiting the impact of the vulnerability on target systems. Microsoft mentions protected mode, a feature of Internet Explorer on Windows Vista and later Windows operating system. Protected Mode gives the attacker limited rights on the affected system.

The other mitigating factors are:

• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, reducing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
• An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

No patch is currently available to resolve the issue. Users should keep an eye on the Security Advisory. A Technet article reveals additional details about the vulnerability.

The vulnerability only affected Internet Explorer 6 and Internet Explorer 7; Anyone updating their web browser to the latest official version of Internet Explorer would protect the computer system from the security vulnerability.

But not everyone was able to update. Especially users in corporate environments have still to cope with outdated versions of Internet Explorer.

Microsoft now has released a so called Fix It solution to patch the vulnerability so that it cannot be exploited anymore. A Fix It solution is basically a small program that can be executed right from the web browser to fix problems on the operating system.

Actually, there are two fix it solutions for the same vulnerability and it is enough to use one of them to protect the PC from the Internet Explorer vulnerability.

• Fix it solution for peer factory in iepeers.dll We have created an application compatibility database that will disable peer factory in the iepeers.dll binary for supported versions of Internet Explorer on Windows XP and Windows Server 2003.
  To install this application compatibility database, click the Fix it button in the “Fix it solution for peer factory in iepeers.dll” section.
• Fix it solution for Data Execution Prevention We have created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer that support DEP. You do not need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms.
  To install this application compatibility database, click the Fix it button in the “Fix it solution for Data Execution Prevention” section

The second Fix-It patch requires a computer system that supports DEP which means that it works on every Microsoft operating system from Windows XP on which obviously excludes Windows 2000. The processor also needs to support Hardware-enforced DEP

Both Fix It solutions can be executed or downloaded form this Microsoft Knowledgebase article.

The impact of the vulnerability is a remote code execution that can be triggered by an invalid pointer reference that can be the cause for the remote code execution.

Microsoft is aware of targeted attacks. It is therefor recommended to update Internet Explorer to the latest version or ensure that Protected Mode in Internet Explorer is enabled.

Possible attack vectors are manipulated websites that are used to exploit the security vulnerability either directly or by third party code that is being displayed on the website or by attacking the email clients Microsoft Outlook or Windows Mail with HTML emails that exploit the vulnerability.

Interested users can visit the security advisory issued by Microsoft to get additional information about the security vulnerability.

Another possibility to protect the computer from the vulnerability would be to switch at least temporary to another Internet browser although this might not always be possible.

The vulnerability is not exploited currently according to Microsoft’s information and it is not likely that it will as a user on the target system needs to be convinced to press the F1 key in response to a pop up dialog box on a specifically prepared website.

The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link.

There is currently no fix for affected operating systems but Microsoft confirmed that they continue investigating the issue. It is likely that a patch for the vulnerability will be provided shortly. As of now all users need to remember is to not press F1 when they are accessing websites.

That leaves Windows XP as the main target of the vulnerability which can be used to read files from the operating system if the filename and path are known.

The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

At this time, we are unaware of any attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Microsoft provides access to four different temporary solutions to protect a computer system from the Internet Explorer vulnerability. Solution four is probably the easiest and most convenient solution at this moment.

• Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones
  

  To raise the browsing security level in Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
  

  To do this, follow these steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

  Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

• Enable Internet Explorer Network Protocol Lockdown for Windows XP
  

  To lockdown the “file” protocol, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
  “explorer.exe”=dword:00000001
  “iexplore.exe”=dword:00000001
  “*”=dword:00000001

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
  “file”=”file”

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
  “file”=”file”

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
  “file”=”file”

• Enable Internet Explorer Network Protocol Lockdown using automated Microsoft Fix It [link]

System administrators can take a look at the vulnerability information page for further information about and impact of the vulnerability.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Microsoft is currently working on a patch to fix the vulnerability with the likelihood that the patch will be released out of their usual patch cycle as an emergency patch.

The patch confirmation page lists several mitigating factors but the safest option right now is to switch to a different web browser at least for as long as no patch is provided to protect the computer system from the vulnerability.

This security update is being released out of band in conjunction with Microsoft Security Bulletin MS09-035, which describes vulnerabilities in those components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library (ATL). As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.

This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on supported editions of Microsoft Windows 2000; Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows XP; Critical for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Vista; Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003; and Moderate for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Windows users should make sure to download the security update as soon as possible. It is available at the usual sources including automatic updates, Windows Update or Microsoft Update.

The security vulnerability affects only Windows XP and Windows Server 2003 systems. Computer systems running Windows Vista, Windows Server 2008 or Windows 7 are not affected because “the ability to pass data to this control within Internet Explorer” is restricted in these operating systems.

A successful attack will give the attacker the same user rights as the currently logged in user. Microsoft has issued a workaround for the Internet Explorer vulnerability that can be applied manually or using Microsoft Fix It.

The fastest way to patch the security vulnerability is to use the Microsoft Fix It script that will perform all the actions of the workaround automatically. The fix will basically remove support for the ActiveX Control in Internet Explorer. This should not have any impact on the web browser’s functionality according to Microsoft.

Affected are all Real Player versions running under Internet Explorer. Microsoft has an article up that explains Killbits and what they do. They basically prevent Active X controls from being loaded in Internet Explorer. I still would recommend to either switch to Firefox or Opera temporarily or uninstall Real Player for the time until a security patch has been created.

Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers.

The killbits that should be disabled are the following:

• 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
• CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This will definitely have the effect that some Real Player functions will stop working properly.