gdiplus.dll is ringing in my head for some reason, this could be nasty.
http://isc.sans.org/diary.php?date=2005-08-18
Internet Explorer (.Net) 0day msdds.dll Exploit
As reported in yesterday's diary, FRSIRT released a 0-day exploit against Microsoft Internet Explorer 6. This exploit can also be characterized as a .Net exploit, which is accessible remotely using MSIE as a conduit. [David].
IMPORTANT: At this point, there is no patch available. Exploit code has been released and is expected to be used in the wild shortly (if it hasn't been used already).
In order to be vulnerable, you need to have 'msdds.dll' installed. Usually, this is installed by Visual Studio .Net, but has been found to be installed by a number of other applications as well, as it may be distributed with .Net based applications.
Typically, you will find it in
Program Files\Common Files\MicrosoftShared\MSDesigners7 .[Jordan]
Here is a list of applications that may install this component:
(Disclaimer: We can't test them all... but it should help you prioritize)
MS Visual Studio .Net
.Net Framework 1.1
Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]
Microsoft Project
Visio [Chris]
Access 11 (2003) runtime [Scott]
ATI Catalyst driver installed by newer ATI video cards [Eric]
MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].
Not all default Office 2000 installs have msdds.dll installed. [Emmanuel] We get conflicting reports, likely due to various configuration and install choices.
The version of MSDDS.DLL installed with Office 2003 is not vulnerable.
If you test your system using the PoC exploit, please let us know if it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]
Version 7.0.9064.9112 is vulnerable [Gilles].
If you are able to apply content filters to your internet gateway (e.g. a proxy server), filter for this string:
(in order to allow you to still visit this page, we substituted the '-' with the word '(dash)' ...)
EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F
This is the class id of the vulnerable component.
Other Mitigation Techniques:
- Use a Non-ActiveX aware browser (Firefox, Opera...)
- remove the vulnerable DLL. (we do not know what will break as a result)
- this issue can be blocked by setting the 'kill bit' for the respective DLL. Using a registry editor, set: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EC444CB6-3E7E-4865-B1C3- 0DE72EF39B3F\Compatibility Flags=0x00000400" [Jerry] I added a space in the key to avoid the above mentioned content filter rule [John].
There is no official patch for this vulnerability at this point. MS05-038 looks similar, but the patch doesn't appear to protect you from this problem.
In a few cases, the system reported "low virtual memory" as we hit the exploit page.
MSDDS Trivia:
- MSDDS stands for "Microsoft Design Tools - Diagram Surface".
- you sometimes may find the (wrong) spelling of msdss in earlier versions of our diaries.
Related Links:
http://secunia.com/advisories/16480/