ANI vuln – Please enable DEP on IE7 on Vista yesterday.

Just a quick blog post this morning regarding the ANI vuln and some thoughts on mitigations built-in to Vista.

Firstas mentioned by the MSRC – we are going to release the security update out of band on Tuesday (tomorrow). 
I recommend installing this ASAP tomorrow vs. installing something like the eEye patch for the issue today.

Second – on Vista, which is vulnerable (sadly) – IE7’s new ‘Protected Mode’ should be doing a pretty good job protecting customers from getting owned by this.  Protected Mode doesn’t mitigate the vulnerability – but it does mitigate the damage potential that the vulnerability would otherwise normally allow on a machine where IE is running at the same privilege level as the user.  What I mean is – the exploits that are in the wild abusing this vulnerability are more than likely running shellcode that tries to suck down a DLL to your machine and run it . . . I have previously blogged about this kind of shellcode and what it does here.  Well this shellcode will more than likely try to write the downloaded DLL / EXE to a part of the disk that IE7 in protected mode will not have access to (i.e. some folder OTHER than the ‘locallow’ folder in the useres profile).  Moreover even if the malware was downloaded to a folder that IE7 in protected mode could write to and was launched / loaded – it’s un-likely the malware would be able to modify any of the ASEP’s (auto-start entry points) in the registry that would be needed to make it persist a reboot or a logout.

Finally – on Vista users can configure Internet Explorer to opt-in to hardware DEP if their CPUs support this feature (AMD calls it NX, Intel calls it XD – we call it Hardware DEP) using the following simple registry script:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

This registry key is what is configured if you follow the steps listed in Mikehow’s blog post on the topic here but it may be easier for you to deploy the registry script via a logon script or machine startup script.  As you might have guessed by looking at the above registry script – you can opt-in any other program that’s not using DEP by default using the same methodology used by that script (i.e. by chaning the process name after ‘\Image File Execution Options\’).  Another option would be to run a copy of CMD.EXE elevated and typing:

bcdedit.exe /set NX optout

The above command will take effect on the next reboot and by default it will force all programs that don’t explicitly tell Windows they DON’T want to use DEP – to use it.  This is how I roll . . . I haven’t had any problems running like this for many months now.  You can change back to the default policy by specifying ‘optin’ instead of ‘optout’.  If you want to see how your system is currently configured you can just type ‘bcdedit.exe’ from an elevated CMD.

Now – I am in no way trying to downplay the severity of this vulnerability – this one is as bad as it gets for Windows users – but fortunately Vista with IE7 in protected mode and UAC should be doing their job and breaking malware that assumes it is running as administrator and Vista can even be configured on certain hardware to make Internet Explorer use DEP – which may even prevent the shellcode from running in the first place making UAC and Protected Mode un-necessary.

I’m going to be posting a more in-depth look at DEP on Vista today or tomorrow after I do some final testing on some machines in the lab.  I meant to do this months ago but got busy and sort of . . . forgot.