Guest

Cisco Security Agent

Cisco Security Agent and the Microsoft IE createTextRange( ) Exploit

  • Viewing Options

  • PDF (276.0 KB)
  • Feedback

Product Bulletin No. 3275

SUMMARY

A critical vulnerability was announced on March 23, 2006 for Microsoft Internet Explorer versions 5.01, 5.5, and 6.0. [1] This vulnerability is actively being exploited. An unpatched vulnerability in the way that Internet Explorer renders HTML could allow attackers to seize control of the system. This vulnerability affects systems running Windows 2000, Windows XP, Windows 98, and Windows Server 2003. Microsoft has announced it will release a fix for this in its already scheduled April 11, 2006 security update.
This vulnerability has already been exploited in several attacks. Cisco Systems ® has obtained exploit files, and has confirmed that the Cisco ® Security Agent is effective in stopping these exploits, using the default security policy configuration. Current supported versions of Cisco Security Agent are 4.0.3.737, 4.5.1.639, and 5.0.0.176. All are effective in stopping the exploits seen to date.

DETAILS OF THE VULNERABILITY

The vulnerability relates to the way that Internet Explorer processes information using the createTextRange() method. The createTextRange() method is a dynamic HTML (DHTML) method that is exposed by the DHTML Object Model [2]. By presenting the browser with specially crafted code, attackers could corrupt the system memory and trick it into running unauthorized software.
The CERT advisory [3] states that by convincing a user to open a specially crafted Webpage, a remote unauthenticated attacker can execute arbitrary code on a vulnerable system. Known attack vectors for this vulnerability require Active Scripting to be enabled. By disabling Active Scripting, the chances of exploitation are reduced.

HOW CISCO SECURITY AGENT STOPS THE EXPLOIT

The Cisco Security Agent default policies contain a buffer overflow prevention rule that stops the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.
The following actions have been observed being blocked by Cisco Security Agent running the default security policies:

• Execution of a system function from a buffer, via a buffer overflow

This testing is shown in Figure 1.
Note that the exploit was tested at Cisco, with the agent in Test mode, which will cause the agent to alert (but not block) malicious behavior. This was done to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in protect mode (the typical operational configuration), the first rule would kill the exploit-no subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions.
Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agent agents to be effective. In short, this was a true test of "day-zero" protection. This is similar to what Cisco has seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped via the default security policy settings:
This exploit is only the latest example of new and mutating attacks that can seriously impact organization's computing and network environments. The key to stopping these new attacks is twofold: the ability to stop the attack without requiring any changes to the default configuration, and multiple rules in the default policies that provide a defense in depth.

Figure 1. Cisco Security Agent Default Configuration Stops the Microsoft Internet Explorer createTextRange() Exploit (Tested on Cisco Security Agent 4.5)

REFERENCES:

[1] Microsoft Security Advisory: http://www.microsoft.com/technet/security/advisory/917077.mspx.

[2] Microsoft DHTML: http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/dhtml_node_entry.asp.

[3] CERT: http://www.kb.cert.org/vuls/id/876678.
Securing Your Web Browser: http://www.us-cert.gov/reading_room/securing_browser/.
Secunia Advisory: http://secunia.com/advisories/18680/.