Direct Animation Overflow and IE7


A researcher posted a vulnerability against IE6 yesterday that uses random input to create a heap overflow in a Direct Animation object. Our team is testing a security update right now to fix this overflow, but in the meantime you can keep your systems safe from this vulnerability by disabling ActiveX controls in the internet zone. If you’re a desktop administrator responsible for a set of desktops, you can publish a more tactical fix by disabling the control.  If you have the ability to set registry keys on user desktops, the following key will disable the vulnerable object:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]

“Compatibility Flags”=dword:00000400

The fact that the research community found this bug is a credit to them, evidence of the continued creativity going into tools like HD Moore’s metasploit. I admire their creativity but I do think a public disclosure is a missed opportunity to work together on the problem. Security researchers like Dan Kaminsky and Mark Litchfield want the same thing as the security engineering teams. Researchers want to find inventive new attacks and see their creations fixed elegantly by the security engineering teams. I welcome and challenge more researchers to come participate in the process, you can start with a mail to secure@microsoft.com.  

The good news in yesterday’s disclosure is that IE7 is safe against this attack and many of the other recent attacks on IE6. The input of the security community had a deep impact on the security strategy for IE7. As we worked with researchers to strengthen the core of the IE7 codebase against threats, we also eliminated threats on the periphery by reducing the attack surface that we expose to malicious websites. Most notably, IE7 reduces attack surface by disabling most ActiveX controls on the system by default. We actually went a step further with Direct Animation control and effectively remove it when you install IE7.

While we’re reducing the attack surface from ActiveX, pragmatists will realize that ActiveX controls and other binary extensions are a part of client software for the foreseeable future. ActiveX controls are important and can be built just as safely as any other client code. I’m in frequent contact with the engineering teams for the most commonly used active controls on the internet like Adobe Flash, Apple Quicktime, the RealPlayer, WMP, the Sun JRE and Adobe Acrobat. They are also working with the security research community. They are making the same type of investments to strengthen their controls against attacks.

Some developers will re-enable less commonly used controls for particular scenarios on some systems. Since the default for most ActiveX controls in IE7 is off, the value of an ActiveX vulnerability like the one reported yesterday will start to approach zero.

Rob Franco
Lead Program Manager

Comments (33)

  1. Steve Shockley says:

    You said: "I admire their creativity but I do think a public disclosure is a missed opportunity to work together on the problem."

    HD Moore did disclose this to you privately; it’s not his fault you didn’t fix it before someone else found it.

    http://www.securityfocus.com/archive/1/446085/30/0/

  2. Steve is right and yes, the ISC reported about the problem back on September 1: http://isc.sans.org/diary.php?storyid=1661

    Since I has been aware of the eploit, I offered a ZIP file containing REG files to set and remove the "killbit" for the control/object: http://patch-info.de/IE/2006/09/01/ –  warning, that’s a German writeup 😉

    Bye,

    Freudi

  3. Mike says:

    Why when ever there is a security breach do microsoft start off by implying that its not their fault but the person who posts it. If I left a key under the door mat to my house and the house got robbed, I would blame myself. Microsoft would blame the nosey neighbour with a blabber mouth who told the thief.

  4. Jerry Mead says:

    "We actually went a step further with Direct Animation control and effectively remove it when you install IE7."

    Can you honestly claim that this decision – and its associated content breakage – was taken solely for security reasons? Just interested.

  5. Fduch says:

    I totally agree with Steve.

    MS doesn’t bother until MANY users are exploited. They say something like "But there’s still no exploit".

    And back to the topic. I clerly see they are doing it now with IE7 developement.

    As Top Voter and Top Validator on connect I can say that too  many important bugs are closed because there are still no exploits for them.

  6. @Steve and Fduch, It takes time to test security updates for compatibility. As Jerry Mead points out, disabling Direct Animation will impact sites. I am not pointing blame with this post, I’m pointing out an opportunity for the future. When we work together with the community, we can develop fixes that protect customers but don’t break the sites that those customers are visiting.

  7. Fiery Kitsune says:

    You guys don’t bother to fix an exploit until it is publicly disclosed and there is an outcry…

  8. @Fduch, our security development and test teams review each bug reports to see if they are exploitable.

    If you think they misjudged a bug or we’re not casting a wide enough net, please send email to secure@microsoft.com.

    @Fiery, fixing the bug is the first step and that’s done. Testing the fix properly is maybe even more important.

  9. Tony says:

    "[T]he most commonly used active controls on the internet like Adobe Flash, Apple Quicktime, the RealPlayer, WMP, the Sun JRE and Adobe Acrobat."

    I was just thinking about this last night, but is it possible for the respective companies to release these products without using ActiveX?

    I know about the security issues involving ActiveX, but I don’t understand why alternatives are not presented by MS. I understand that you want backwards capability and reduce the possibility of broken sites. However, even with SP2 it’s a hassle to install even these products with the info bar and other security features. Having it disabled period may create even more havok.

    If ActiveX is so dangerous why not just remove it in a next version? Apparently you’ve decided it’s safe to do so with Direct Animation. It’s not like the existing ActiveX components won’t work with existing browsers after all.

  10. redxii says:

    Tony, ActiveX is equally dangerous as the privileges you are running with. Exploits like this are stopped by a non-admin account even on default IE settings; it doesn’t even get to the part about execution of code. Killbit/patch not needed. Exploiting an already installed control under a non-admin account won’t have it magically gain system privileges.

    That said, the following setting could have prevented WMF files from executing: "Open files based on content, not file extension" set to Disabled (Enabled by default). The WMF exploit used a 1×1 IFRAME. Making an enlarged IFRAME and pointing it to a malicious WMF file with "Open files based on content, not file extension" set to Disabled, a bunch of garbage displayed in the IFRAME and IE warned me that the security info didn’t match. Otherwise, it executed with the default setting.

    Disabling "Allow sub-frames to navigate across different domains" foiled the IE and Flash address bar spoofing. (CVE-2006-1626)

  11. Fduch says:

    @Rob Franco

    There were many cases when bug information was sent to you by security experts/hackers but was neglected. After some time it became public. An after some MONTHS someone created exploit. And then MS begins to bitch about "full public disclosure" that is hurting users. I think that ignorance hurts more.

  12. Fduch says:

    Just some random vulnerability.

    "Successful exploitation allows an arbitrary file on the user’s system to be uploaded to a malicious web site, but requires that the user types a text containing the characters of the filename."

    More than 3 months old.

    Unpatched.

    I think it would remain unpathched for at least a year.

  13. hAl says:

    @fduch

    Dat does bnot sound like a very critical  vunerability. Surfing to a website and filling in the name of a file on your system and then having that file uplad to that system seems difficult to exploit

  14. goose says:

    you guys are being too hard on Microsoft. They don’t have enough money to fix all your silly bugs! The resources are being stretched! Poor coders, I feel sorry for them!!!111

  15. tuscan5 says:

    I hope an earlier release of any available update will be decided on. This Security Advisory appeared only 3 days after monthly updates and it will take over 3 weeks for October updates to arrive. It is suggested to alter the Registry. This seems inappropriate for popular computing (how can popular computing be held back?)

  16. Vista_the_ther_Linux says:

    I tried Vista RC today.  After waiting an hour for it to install it told me it refused to run because the driver for my SATA was not digitally signed.  I don’t give a fire eating death dealing goose if a driver is signed or not. This reminds me of Linux retardation where things that should work (installing Firefox) shouldn’t require hidden tricks that normal users won’t understand. What a waste of three hours of my life.

  17. Darrin says:

    I want to know if anything is being done about IE7 crashing to desktop. I have this problem many times per day, so do my workmates. I has a fresh and updated install of XP Pro, then installed IE7. It crashes to desktop at least every second time i open it, does anyone else have this issue???? And yes it sends an error report.

  18. game kid says:

    "I do think a public disclosure is a good opportunity to get the attention of people that know the problem."

    The spelling and grammar check is complete.

  19. David Wrixon says:

    "The good news in yesterday’s disclosure is that IE7 is safe against this attack and many of the other recent attacks on IE6."

    Just one more reason to consign IE 6 to history as soon as practical. Get IE 7 out there now. Trying to repair IE 6 is like trying to patch wet toilet paper!

  20. Matt says:

    I know the previous answers to this question: "4th Quarter".

    Well we’re already in the 4th Quarter, so pls answer the question in "weeks" this time.

    Regards

  21. Aedrin says:

    If you were actually finding flaws on software for the sole purpose of helping the community, then you would not release it to the public -ever-.

    Too many people assume simplicity in fixing a bug.

  22. Gilbert says:

    Hello all,

    In the past, Microsoft was not responsive to security issues. These days, however, they have to be…and that has required a huge difference in the way they think and write software…and also, getting patches out.

    One can argue all day that it has taken them too long, or they still aren’t responsive enough. I was one of Microsoft’s biggest critics. And while they still have a lot of work to do, I must acknowledge their great progress. In terms of patches, they still need to get out patches sooner; waiting months for a fix (even if undisclosed)

    is still asking for huge trouble. Sadly,

    no matter what OS or software you run, you’ll probably be always trying to catch up with the bad guys. Just a sign of the times.

    So, let me say this. I encourage the MSIE

    team to continue to work on developing IE so that it is as safe as possible, but do not expect it to be perfect. Furthermore, when mistakes are made, ‘fess up. I know that is anti-societal to do so, and of course the common misperception is that it makes you look bad. The truth is that it makes you look bad only if you are so insecure as to not admit your own faults. So, when you blow it, and you will, quite often, we all do…admit it. Keep becoming more responsive to your customers (such as through this blog and allowing comments, which was a GREAT idea!),

    and we’ll be happy.

    It’s now obvious that the bad guys release their malware on the world 1-2 days after "Patch Tuesday". I don’t know how to suggest to fix that, other than a special release.

  23. Fduch says:

    @hAl:@fduch

    >Dat does bnot sound like a very critical  >vunerability. Surfing to a website and >filling in the name of a file on your system >and then having that file uplad to that >system seems difficult to exploit

    YEEEEEEEEEEEEEEEEEES!!!!!!!!!!!!!!!

    You’ve said it.

    There is even a proof of concept exploit.

    But all you say is "it’s difficult to exploit. Why bother patching it?"

    Just like Microsoft says!

    And imagine gouing to some site that requires you to fill some info. There are files with known names that contain valuable information. (+ attacker can disclose filenames through other UNPATCHED vulnerabilities). There is a hidden file upload field. While you are filling in the data of just randomly mashing the keyboard the script collects letters. Then the file is easily uploaded to attacker.

  24. Fduch says:

    @Aedrin

    >If you were actually finding flaws on >software for the sole purpose of helping the >community, then you would not release it to >the public -ever-.

    It’s too simple.

    Lets say there is a security hole. And bad guys are exploiting it. Not in form of a virus, but as targeted attacks.

    But there is a GoodGuy. He knows about the bug and wants to stop BadGuys.

    He contacts MS and says them everything. But they do nothing or just say "it’s difficult to exploit", "won’t fix".

    What would you do to stop innocent users from suffering?

    I’d try to make it as public as possible to draw attention and make MS fix it. (Kheh… If only I was able to draw attention…)

  25. tuscan5 says:

    Internet Explorer 6 with XP SP2 is requiring the awaited update, because installing Windows Live Toolbar in IE6 as above makes a very fast browser, which has a phishing filter. I think speed is important for effective browsing, and I have not found IE7 able to pace IE6 for speed. You can get a download to stop IE7 being installed. Let’s hope MS  can write what is being discussed, because a default setting is involved.    

  26. Aedrin says:

    Fduch:

    I was talking about the case where ‘GoodGuy’ discovers the exploit. So no one is abusing it yet.

    So when ‘GoodGuy’ releases the exploit, suddenly ScriptKiddy and BadGuy know how it works, so BadGuy writes a Script. ScriptKiddies all around the world download it and suddenly everyone is having problems because GoodGuy thought that releasing an exploit publicly would be a wise decision.

  27. Fduch says:

    @Aedrin

    In security often different people come to same ideas.

    For example I see that some new worms using some of my 3 years old ideas.

  28. Kosche says:

    I hear IE7 final will be released next month? Does anyone know when it’s coming out?

  29. PatriotB says:

    "I was just thinking about this last night, but is it possible for the respective companies to release these products without using ActiveX?  …  I know about the security issues involving ActiveX, but I don’t understand why alternatives are not presented by MS."

    What would you propose?  Flash, QuickTime, RealPlayer — they need to run native code on the user’s computer.  And anytime you let a browser plugin run native code, if the plugin is found to have a security hole, then the browser is a vector of attack.  Pure and simple.  If the Flash plugin for Firefox has a security hole, couldn’t you then be attacked via browsing with Firefox?

    The alternative to having the plugin run native code, is for the plugin to be managed — i.e., a Java applet or pure .NET applet that can be sandboxed.  Those alternatives do exist.  But do Java or .NET meet the performance requirements for, say, playing streaming video or fancy animations?  I think the answer is no; even WPF/Avalon, which has portions written in managed code, has portions written in native code as well.

  30. Fduch says:

    @PatriotB "But do Java or .NET meet the performance requirements for, say, playing streaming video or fancy animations?  I think the answer is no; even WPF/Avalon, which has portions written in managed code, has portions written in native code as well."

    Yes, .Nets does meet the requirements. There is managed DirectX. There is WPF. There is me, who builds my own voxel graphics engine in .Net.

    .Net will always use native code co communicate with the system. But I can say that Framework is rather safe. It communicates with native code in secure way.

    SO I think that allowing/demanding using .Net scripts/controls is a good thing. They just need to make a good warpper around IE functions.

    Hope they’ll do it before I die.

  31. EricLaw [MSFT] says:

    @Darrin: Please try the steps in the first section of this page: http://www.enhanceie.com/ie/troubleshoot.asp