Thanks a lot for everyone's comments and feedback on this disclosure. We spent time on this old issue as it has an extremely high malicious targeted attack capability and very easy to exploit. After Jeremy's IE targeting file saving vulnerability was disclosed in November 2003, we came across the idea to test whether it was possible to hijack SSL on IE. Boom, it took us only one day to research and successfully test the exploit code! That's the reason why we did not disclose it in details. It is extremely easy to exploit. Just look into the SDK documentation and everything is right there for you to exploit. What you need to hijack SSL from IE is one function call from one DLL file. When we tested it out, Windows OS (ACL was not considered then), IE and leading AV software did not provide any kind of alert or alarm. The easiness to exploit this weakness, and the failures at multiple layers to detect this intrusion led us to categorize this as a serious problem. This exploit is far more sinister and hidden than the quite obvious ones used by phishing. Compared to keylogger spyware, this exploit is much more targeted and efficient. Keylogger spyware returns high volumes of information which need a lot of filtering to obtain useful information. Alternatively, someone can gain a lot of confidential info from "data-mining" raw data before SSL encryption. This exploit will turn the so-called "secure" transactions into completely insecure ones. When we disclosed this to Microsoft, we were told that this feature has existed for more than ten years. We could not understand why Microsoft cannot take some protective measures against this simple and easy exploit of "DLL proxy" attacks if they have known of the potential risk of "DLL proxy" or "DLL injection" for years. In light of wide-spreading MyDoom, the latest disclosure from eEye and Microsoft’s subsequent patch announcement (04-007), together with other vulnerabilities in other applications on Windows, don't you think that the first line of defense against intrusion onto a PC for normal users is almost not there? When we dealt with Microsoft, Microsoft tried to push across the concept that a malicious attack erasing a user’s hard drive is far worse that obtaining access to information intended to be encrypted using SSL!? Only protecting against the entrance of an attack is not enough to mitigate against threats. By the way, they did not state "the program can DDoS ..". When IE switches into https mode, it brings up the "security alert" dialog (unless disabled)that states: "You are about to view pages over a secure connection. Any information you exchange with this site cannot be viewed by anyone else on the web.". Is that whistling in the dark? Don't you agree that the alert should be modified a little bit? We have to sing the same song posted by Marc Maiffret from eEye: U can't trust this U can't trust this ... MyDoom'd zombies DDoS U Ur SSL is so easy to break... What else is left to be trustworthy? Regards Peter Huang http://www.ossecurity.ca/
