In an interesting move, Microsoft is returning more drive-by exploitation functionality to their Internet Explorer browser:
“Back in April 2006, we made a change to how Internet Explorer handled embedded controls used on some webpages. Some sites required users to “click to activate” before they could interact with the control. Microsoft has now licensed the technologies from Eolas, removing the “click to activate” requirement in Internet Explorer. Because of this, we’re removing the “click to activate” behavior from Internet Explorer!”
Very exciting. This change means that malicious web sites delivering drive-by exploits targeting ActiveX controls will once again run without any user intervention from Internet Explorer.
The DailyDave mail list (run by Dave Aitel, an individual driving the penetration-testing industry with his CANVAS product), pointed this out last night in regards to the recent RTSP QuickTime 0day discussion and how CANVAS attacks the vulnerability:
It’s not hard to make the exploit work against IE 7, but the user will have to click on the ActiveX (or hit the spacebar) to enable it.
Fixed that for you“
ThreatFire prevents buffer overflow exploits like the QuickTime 0day. A related link can be found here — the same SEH overwrite technique used in Krystian Kloskowski’s recent 0day QuickTime exploit is described in that writeup.