Aviv Raff and I have been going back and forth a bit on my blog post on the “non-exploit exploit”. You’ll recall I was skeptical about his post about a new Internet Explorer “exploit”, feeling that it really wasn’t a major issue. He’s a good guy and I respect him and I’m going to try and give him a fair shake here.
His response, with my comments:
1) Nowhere in my post I write that this vulnerability alone may allow a full remote code execution with no user interaction (like the WMF vuln).
That’s true, but you did start all this off with an alarming post entitled “Internet Explorer 7 – Still Spyware Writers Heaven”.
2) The post headline is just the name of the vulnerability with a mention that I’m going to provide a proof-of-concept exploit.. Nothing scary in that 🙂
Ok, Aviv, you have a point. I didn’t make it clear in my first blog post (since corrected) that my comment about your “scaring people” had to do with the naming of your first post (see above).
3) There are some ways of a file to get on the user’s system which will not require full write access. For example: http://www.symantec.com/avcenter/attack_sigs/s21235.html . Now, save this file on the user’s desktop as one of the DLL files, and you have made a remote code execution.
I would argue that this is more of a social engineering issue than an exploit. It’s a design bug, but still requires user interaction.
Aviv made a valid follow-up comment — “I think we have a semantic problem here. You refer to “exploit” as any “remote code execution without user interaction exploit”. What I refer to as an “exploit” is (according to Wikipedia): ‘In computer security, an exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability’. I agree that this vulnerability is not critical, but the code I published is still an exploit.
Yes, I agree with that definition, but it’s all about context here. So he continues to say “Microsoft usually refers to vulnerabilities as critical only if they may allow remote code execution. I still this is critical enough for them to fix this issue on the Windows XP version.”
Right, I agree with Microsoft in this case — a critical vulnerability is one which allows remote code execution.
In other words, something like WMF, SetSlice and the daxctle exploit — all of which we have seen as ways for crackers to gain access to a system without any user acceptance, are critical exploits. The “exploit” that Aviv writes about requires a user to proactively acknowledge and accept (and run) a download. It may be bad, but it’s not nearly as critical as one might be led to believe.
4) Many spywares are using the startup folders/reg keys as way of loading themselves again when the victim restart the machine. Security products (like yours) looks for changes in those folders/reg keys. This vulnerability is another way for an attacker to load his malicious code and bypass this detection.
Not entirely, if there is a signature generated for the rogue DLL (just like any other piece of malware), we’ll catch it, as will many other security products, regardless of where it loads. Aviv responds by saying “I agree, but then why do you have a generic startup folder/reg key changes detection mechanism? All I’m saying is that if this issue is not going to be fixed in XP by Microsoft, the security vendors should consider adding a detection for this kind of threat.” He went on to add that AV signatures are used to detect known threats. Behavioral heuristic engines (e.g. startup folders/reg keys changes detection) are usually used to detect unknown threats.”
He also points out that Microsoft has said they’ll fix this on future OS releases, and that he’s tested IE7 on Windows Vista RTM, and it does not have this vulnerability.
I think Aviv was right to write about this issue and it should be fixed. My problem has been with attaching any sense of alarmism to something which is really not a major issue — there are other bigger fish to fry out there. It goes back to the fundamental illogic: In order for this vulnerability to be exploited, the remote attacker will have to get something (by permission) on a person’s machine in the first place. Apparently, I’m not the only one who has this opinion.
Alex Eckelberry