Killbit Workaround for Zero-Day IE Flaw Available

The SANS Internet Storm Center has released a free utility to help thwart zero-day Internet Explorer attacks.

The SANS Internet Storm Center has released a "killbit" package as a temporary workaround to help Internet Explorer users thwart malicious hacker attacks.

The utility, available here, sets the "killbit" for Msddds.dll (Microsoft DDS Library Shape Control), the COM object that can cause browser crashes—and remote code execution—via specially crafted Web pages.

The tool was written by Tom Liston, a researcher at Intelguardians Network Intelligence and incident handler at the SANS Storm Center, and is available for free in both a GUI and a command line version.

Liston told Ziff Davis Internet News the tool will serve as an effective workaround until Microsoft gets around to providing a comprehensive patch for the underlying vulnerability.

Liston, however, warned that once the "killbit" is set to prevent the use of Msdds.dll as an ActiveX, all applications that use the COM object utility will break.

Detailed instructions on using the tool are available on the Storm Centers Web site.

Microsoft has already issued an advisory confirming the severity of the flaw and providing pre-patch workaround to help block known attack vectors.

The advisory follows the publication of a zero-day proof-of-concept exploit that could launch browser-based attacks targeting IE users.

"This condition could potentially allow remote code execution if a user visited a malicious Web site. This COM Object is not marked safe for scripting and is not intended for use in Internet Explorer," Microsoft warned.

There is no patch available for the vulnerability, and because exploit code has already been released, there are increasing fears that a widespread attack is very likely.

/zimages/6/28571.gifClick here to read more about Microsofts warnings of a Zero-Day exploit.

"We feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly," the Storm Center said in a daily incident diary entry.

Security alerts aggregator Secunia Inc. rates the vulnerability as "highly critical" and warns that a successful exploit may allow the execution of arbitrary code.

However, a malicious hacker must first trick a user into visiting a specially crafted Web site to launch an attack.

According to Microsoft Corp.s advisory, an attacker could target the hole to "take complete control of the affected system."

The Msdds.dll COM Object is used to provide a built-in shape for DDS Designer Surfaces. It is used by components such as Visual Studio Database Diagramming to provide a way to visualize database objects.

In addition to Microsoft Visual Studio .Net 2003, the COM object can be found in Office 2003 and Office XP, two widely used desktop productivity software programs.

Microsoft plans to release a security bulletin with patches for the flaw--either through the monthly update process or with an out-of-cycle release.

Microsofts pre-patch workarounds can be found in this security advisory.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.