IE zero-day flaw leaks out; Exploit code published

Summary:Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code

Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code. The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.

[ SEE: New Microsoft IE zero-day flaw under attack ]

The latest developments come less than 24 hours after Microsoft confirmed the flaw was being used in targeted attacks and puts the company under added pressure to ship an emergency, out-of-band patch as soon as possible.

Moshe Ben Abu, the Israeli researcher who created the exploit, said he found information on where to find the malicious hosts from a McAfee blog post that discussed the targeted attacks.

Here's the gist of the McAfee post that gave Ben Abu a place to find the zero-day malware:

follow Ryan Naraine on twitter

McAfee Labs is aware of an attack emanating from the domain (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain over https.

"It just took a few minutes of digging in that host to find the exploit," Ben Abu said in an e-mail exchange.   He said it took about 10 minutes to de-obfuscate the exploit and pinpoint the underlying vulnerability.

"I did some basic debugging to the vulnerability on found the vulnerable code within iepeers.dll," he added.

Metasploit's HD Moore confirmed the exploit code is somewhat reliable. "It's 50% reliable on XP SP2/SP3 with IE7 (no DEP). A little better with IE6," Moore said in an e-mail.

Microsoft has already activated its security response process and issued a pre-patch advisory with mitigations but the availability of public exploit code is sure to light a fire and raise the likelihood of an emergency update before next month's Patch Tuesday.

Topics: Security, Enterprise Software, Microsoft


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.