This is a bad one if you are running Windows XP or Windows Server 2003 with Internet Explorer. If you are running Windows Vista, Windows 7 or Windows Server 2008 then you are not affected
The bad part about this is that all it takes for you is to visit a bad site. If you are using Chrome (like me), FireFox or Safari then you are not affected by this. Microsoft really should redesign IE from scratch and get rid of all that ActiveX baggage/nonsense, it is not worth it, it only causes troubles. Almost every IE vulnerability is ActiveX based.
_Mitigating Factors:
Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are 2 ways to do something about this
1) Visit Microsoft Security Advisory (972890) and look in the workaround section where you will find a way so that you can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.
2) Use the fix it button on this page http://support.microsoft.com/default.aspx/kb/972890
Here is a partial list of domains that are exploiting this hole
q23r.cn
wf3gr.8800.org
ads.v8dc.com
name81.8u60.8u.cn
wvg7.cn
ma.o524q.cn
laibuji.w528e.cn
girlfired.d821e.cn
w1.7777ee.com
w2.7777ee.com
w3.7777ee.com
w8.7777ee.com
w9.7777ee.com
milllk.com
haha999b.com
babi2009.com
haha888l.com
xin765.com
A complete list can be found here: http://isc.sans.org/diary.html?storyid=6739
Denis has been working with SQL Server since version 6.5. Although he worked as an ASP/JSP/ColdFusion developer before the dot com bust, he has been working exclusively as a database developer/architect since 2002. In addition to English, Denis is also fluent in Croatian and Dutch, but he can curse in many other languages and dialects (just ask the SQL optimizer) He lives in Princeton, NJ with his wife and three kids.
