user analytics

Research

9.3 2011 Remote Desktop Insecure Library Loading Vulnerability (MS11-017/2508062)

VERSAFE group online fraud research team found and reported a critical vulnerability in Microsoft's Remote Desktop Client that could allow remote code execution. The vulnerability was reported to Microsoft and treated in the patch release, march 8th 2011.

Background:

The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

vulnerable:

Windows XP Service Pack 3
Windows XP Professional x64
Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition SP 2
Windows Vista SP 1 and Windows Vista SP 2
Windows Vista x64 Edition SP1 and windows Vista x64 Edition SP 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems SP 2
Remote Desktop Connection 7.0 Client
Windows Vista SP 1 and Windows Vista SP 2
Windows Vista x64 Edition SP 1 and Windows Vista x64 Edition SP 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based systems
Windows Server 2008 R2 for Itanium-based Systems


21.01.10 Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability

VERSAFE group’s On Line Fraud Research team, found and reported a critical vulnerability in Internet Explorer in August 2009.
The vulnerability was reported to Microsoft and treated in the patch release, Jan. 21, 2010.

Background:
This vulnerability used for attack against Google's accounts and reported on Wednesday, August 26, 2009 2:54 PM (GMT +2:00).
the mitigation from microsoft is to disable active scripting.
the exploited is in the wild.

Vulnerable:
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0

Technology Background:
When an event is invoked, a value containing the event details is sent to the event handler.
One of the methods of this value is 'srcElement' which points to the object who called the event.
The problem occurs in the following situation:
1. Invoking an event on page using a certain object ('input', 'img' and etc').
2. Duplicating the event in memory and saving it as a global value.
3. After exiting the event handler, deleting the object who created the event (the 'input', 'img' and etc').
4. Trying to access the 'srcElement' will crash the browser due to memory corruption.