IE Killbits don't work, or why MS released an OOB Patch yesterday (updated)

Now we know why Microsoft rushed out an out-of-band patch. It seems that shutting down a defective component is not as effective as fixing it. During the upcoming Blackhat talk of Ryan Smith, Mark Dowd and David Dewey it will be demonstrated how to bypass the "kill-bit" mechanism. A measure used by Microsoft to patch an ActiveX vulnerability on June 14th. So Microsoft rushed out to release an out of band patch before the presentation.

Smith has posted a video that demonstrates how they were able exploit a kill-bit copy of IE.

Halvar Flake mentioned the following on his blog:

"The bug is actually much 'deeper' than most people realize, [and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue,"

So this is why Microsoft is patching the vulnerability within ATL (the msvidctl.dll issue) . This has resulted in vulnerabilities in other crucial Windows files, and perhaps third-party applications whose developers had also used ATL. The following post from Adobe PSIRT blog confirms this:
We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 / Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A Security Advisory for Flash Player and a Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.
According to their bulleting, only Internet Explorer plug-ins are vulnerable. Firefox users as well as all other Windows-based browsers are not vulnerable. Macintosh, Linux and Solaris versions of Flash Player and Shockwave Player are not vulnerable.

So have a look at MS09-034 and MS09-035!! So until we have details on the Blackhat presentation, I wouldn't recommend using the killbit as only countermeasure for vulnerabilities.

If you want to delve deeper into this matter, the following two articles from the Microsoft Security and Defense blog are worth a read!
Update: A Slashdot story was running on this with this remarkable quote: "What's really scary is that Microsoft has issued 175 killbits fixes so far."

According to this Heise online article, Cisco extensions are also vulnerable. Google hasn't released any details yet.

Last but not least, the verizon business security blog has a very good article on the entire issue, a risk summary and a tool for developers to check their code.

(Photo under creative commons from jlkinsel's photostream)

No comments: