Details of IE zero-day exploit published

Summary:Cisco says that the attack seems to have begun on April 24 with a series of phishing campaigns.

Now that the IE zero day which caused so much panic over the last several days  has been patched , researchers are much more free to discuss details of the attack.

Cisco's Snort IPS network shows that their customers began on April 24 with several phishing attacks.

The attack relies on getting a user to visit a web site with the malicious code and this was the purpose of the phishing emails. Cisco found these subject lines used in the attacks:

  • Welcome to Projectmates!
  • Refinance Report
  • What's ahead for Senior Care M&A
  • UPDATED GALLERY for 2014 Calendar Submissions

These domains were used to host the malicious code:

  • profile.sweeneyphotos.com
  • web.neonbilisim.com
  • web.usamultimeters.com
  • inform.bedircati.com

The malicious JavaScript on the web page was relatively unobfuscated, according to the researchers. There was one function named oil(), which was not called within the JavaScript. This call was, in fact, initiated by ActionScript in the associated Flash SWF file. The main point of the ActionScript is to "spray the heap," which means to perform a series of large allocations of memory objects and to fill them with particular values, generally "NOP" instructions. This is also where the shellcode is, which is the program that takes control after the program exploits the actual Internet Explorer vulnerability.

Once the heap is prepared, the SWF calls back into the web page at oil() with a special string as a parameter. oil() then invokes the exploit by calling eval() with the string passed from the SWF. This causes a crash which eventually executes the shell code.

There have been several Flash exploits with heap sprays recently. It may be that the attackers brought the Flash object into the picture because they had more trouble getting the exploit to work in IE.

Topics: Security, Leadership, Microsoft

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.