New IE zero-day attack reported

Summary:Security company FireEye has found a zero-day exploit in Internet Explorer hosted on a breached web site in the United States. EMET may be used to mitigate.

Researchers at network security company Fireeye have identified a zero-day exploit of Internet Explorer on a breached web site.

The specific exploit targets the English versions of Internet Explorer 7 and 8 on Windows XP and IE8 on Windows 7. FireEye says their analysis indicates that the vulnerability behind it affects IE 7, 8, 9 and 10.

FireEye does not say if IE10 on Windows 8 is affected or if they examined IE11.

There are two vulnerabilities involved in the attack: the first is an information disclosure vulnerability which the exploit uses to retrieve the timestamp from the PE headers of msvcrt.dll (part of the Microsoft Visual C++ runtime). The second is an IE out-of-bounds memory access vulnerability, used to achieve code execution.

Many versions of msvcrt.dll are in distribution, so the exploit sends the timestamp back to the attacker's server, which returns an out-of-bounds exploit specific to the user's version.

The exploit contains a "ROP chain" according to FireEye. ROP is Return-Oriented Programming, a technique generally blocked by Address Space Layout Randomization (ASLR), introduced in Windows Vista (a version of Windows unmentioned by FireEye). That the exploit works on Windows XP is no surprise, but for it to work on Windows 7 is more unusual.

The report doesn't say much about the payload, other than that it is large and multi-stage.

FireEye is in working with Microsoft on researching the attack. The report says that the vulnerability can be mitigated using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0, presumably focusing on msvcrt.dll. Be careful, as you will likely have multiple copies of multiple versions of this DLL on your system.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.