It looks like the flaw is a buffer overflow and not a memory corruption error. Initially, FrSIRT has issued an advisory, "Microsoft Internet Explorer "daxctle.ocx" KeyFrame Memory Corruption Vulnerability", detailing a new zero-day Internet Explorer exploit. The exploit is reportedly successful using IE 5.01 SP4, IE 6 SP1, and IE 6 for Windows XP and Windows Server 2003. All Windows platforms supporting these IE versions are affected. FrSIRT rates this as a critical security risk. Secunia rates this as an extremely critical security risk. FrSIRT claims that by sending a specially-crafted argument to the DirectAnimation.PathControl" (daxctle.ocx) ActiveX object, a local or remote attacker can cause a memory corruption error that leads either to a Denial of Service (DoS) condition, execution of arbitrary code. As a workaround, FrSIRT is recommending disabling Active Scripting in the Internet and Local intranet security zones. This will obvioulsy break a number of pages. Symantec SecurityResponse blog states that Symantec researchers have determined that the flaw in the DirectAnimation Path ActiveX Control is in fact a buffer overflow instead of a memory corruption error. Symantec researchers now believe that the buffer overflow occurs "when IE tries to instantiate a certain DirectionAnimation COM object as an ActiveX control." The blog note says that remote execution of arbitrary code is possible. According to Secunia, a partially working exploit is in the wild for Chinese Windows versions. Additionally, Secunia claims to have created a fully working exploit for Windows XP SP2. Both Microsoft and US-CERT have released advisories about the new IE zero-day exploit. In Microsoft advisory 925444, "Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution", MS acknowledges that the problem exists in the Microsoft DirectAnimation Path ActiveX control, which is included in Daxctle.ocx. In US-CERT advsory "Public Exploit Code for Microsoft DirectAnimation Path ActiveX Control Vulnerability", US-CERT recommends as a workaround that ActiveX be disabled in the Restricted zone and the Internet zone. More information is available in the US-CERT Vulnerability Note VU#377369, "Microsoft DirectAnimation Path ActiveX control fails to validate input". According to the MS advisory, "The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario. "By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed." This does a good job of explaining why MS says "Script ActiveX controls marked safe for scripting" should be disabled in the Restricted zone. For a more complete discussion of workarounds see the "Suggested Actions - Workaround" section of MS Advisory 925444. Symantec is releasing IPS signatures, but has not yet released any AV signatures for this exploit. However, I believe they may have a new generic "bloodhound" exploit signature later today. Nothing yet from McAfee, Sophos or F-Secure. I'm still checking other AV vendors ISS has released XPU 24.33 for Network Sensor 7.0 to address this issue. References: http://www.us-cert.gov/current/index.html#IE0day http://www.kb.cert.org/vuls/id/377369 http://www.microsoft.com/technet/security/advisory/925444.mspx http://www.symantec.com/enterprise/security_response/weblog/2006/09/new_ internet_explorer_0day_vul.html http://www.securityfocus.com/bid/19738 http://xforce.iss.net/xforce/alerts/id/236 http://www.xsec.org/index.php?module=releases&act=view&type=2&id=20 http://isc.sans.org/diary.php?storyid=1701&rss http://www.frsirt.com/english/advisories/2006/3593 http://secunia.com/advisories/21910/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4777 -----Original Message----- From: Tyop Tyip [mailto:tyoptyop@xxxxxxxxx] Sent: Friday, September 15, 2006 3:00 AM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Fwd: IE ActiveX 0day? Does someone have more informations about a 0day on ActiveX? Here's my links: http://www.milw0rm.com/exploits/2358 http://blogs.securiteam.com/index.php/archives/600 http://www.xsec.org/ -- Tyop?
