Attack code posted for new IE zero-day vulnerability

Attack code posted for new IE zero-day vulnerability

Summary: Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.

SHARE:

Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.

Exploit code for the vulnerability has been added to the Metasploit tool and a video has been posted to provide a demo of the severity.

Here's a brief description of the issue from VUPEN:follow Ryan Naraine on twitter

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the "mshtml.dll" library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various "@import" rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.

VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.

Metasploit's exploit code provides some more information:

This module exploits a memory corruption vulnerability within Microsoft HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution.

According to the video posted by Abysssec Security Research, the exploit bypasses two key Windows anti-exploit mitigations (DEP and ASLR) without the use of any third party extensions.

There are reports that the vulnerability was first published on a Chinese security blog.

Topics: Operating Systems, Browser, Microsoft, Security, Software, Software Development, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

37 comments
Log in or register to join the discussion
  • Well another big hole in the heart of Windows

    I'm soooo surprised.

    LOL
    jacarter3
  • Not worried

    Using IE9 here~
    cym104
    • And you're absolutely sure

      @cym104

      that a vulnerability found in all prior Windows and IE versions, based on MS HTML parser code "mshtml", has been updated in IE9? Just because they didn't mention a beta version does not preclude that distinct possibility.
      jacarter3
    • RE: Not worried

      @cym104

      I will go one better than that!

      Using Firefox 4 on Linux.

      You <b>know</b> I am not worried.
      fatman65535
      • You're a good man

        [i]Using Firefox 4 on Linux.[/i]

        :)
        LTV10
  • RE: Attack code posted for new IE zero-day vulnerability

    Hmmmm. Just rolled back from IE9 to IE8 to fix a number of bugs in the beta, and I have had a couple of mshtml errors. Hope they come up with an out of band fix.
    pj48
  • Complete control of the system? Unlikely.

    Protected Mode restricts malicious code from modifying the system and user files. Essentially the code is limited to "read only" status. And for those who are not using Protected Mode running as a non-privileged user would also limit what changes to the system the malicious code could do.
    ye
    • RE: Attack code posted for new IE zero-day vulnerability

      @ye

      Microsoft recommends running as non-privileged, which I would recommend regardless of what browser you use.

      The biggest exploit is sitting in the chair.
      VRSpock
      • That's been my advice for a long time.

        @VRSpock: [i]Microsoft recommends running as non-privileged, which I would recommend regardless of what browser you use.[/i]

        All too often though it is never recommended by security "experts". It was completely lacking in this article.
        ye
    • So combine this exploit with a privilege escalation bug!

      @ye It's not as if there has <i>never</i> been a privilege escalation bug found in Windows, and this exploit is already bypassing DEP and ASLR, which simplifies executing further exploits.

      So if you're resting on your laurels thinking that privileged mode will save you, <b>think again</b>.
      Zogg
      • Such an attack is much more complex.

        @Zogg: <i>It's not as if there has never been a privilege escalation bug found in Windows, and this exploit is already bypassing DEP and ASLR, which simplifies executing further exploits.</i><br><br>While it's possible it's unlikely. As for relying on Protected Mode to protect me I'll continue to do so. What other options do I have?
        ye
      • And there was me thinking blended attacks are becoming &quot;the norm&quot;.

        @Ye More complex only implies "<i>less</i> likely", not "unlikely". And the point is whether two-exploit malware is less likely <i>enough</i>. Seeing as we've long since passed the point when malware was written by kiddies, I would argue <b>not</b>.

        <i>"As for relying on Protected Mode to protect me I'll continue to do so. What other options do I have?"</i>

        Such an obviously loaded question smells like Holiday troll-bait to me... I'll pass, thanks ;-)
        Zogg
      • We don't know.

        @Zogg: [i]More complex only implies "less likely", not "unlikely". And the point is whether two-exploit malware is less likely enough. Seeing as we've long since passed the point when malware was written by kiddies, I would argue not.[/i]

        Protected Mode creates a fairly restricted write environment. It's likely to be more secure than just privileged versus non-privileged accounts.

        Regardless it is possible. But given there are no alternatives, at least you didn't provide any, what are we supposed to do?

        [i]Such an obviously loaded question smells like Holiday troll-bait to me... I'll pass, thanks [/i]

        IOW you have no answer. You could have just said as much.
        ye
      • You claim not even to run anti-virus software, Ye.

        @Ye Why bother suggesting anything further when you can't be bothered even to use the solutions already presented? But this news won't be costing <i>me</i> any sleepless nights, and I'll leave you to ponder the "why" of <b>that</b> at your leisure.
        Zogg
  • The attack is real...

    I followed MS guidelines of allowing Windows Update to run automatically what a blunder. The next thing I saw was my Norton's Firewall & Antivirus were all disabled, it said my Norton 360 subscription had expired. I got Norton online support but they could do nothing to fix it after 20 hrs of been online with them.
    I final figured it out myself.. Uninstall the lastest MS Windows updates, set my Windows update to off.. And at least now I can access the internet & my email system again..
    Microsoft is losing it.. I am now going to get an Apple IPad ...
    As all in alll I have lost a whole week of productivity...
    afcbuck
    • RE: Attack code posted for new IE zero-day vulnerability

      @andrewrukidi@...
      Akhams razor dude. Either MS disabled your norton and expired it through a WINDOWS update or your norton simply expired around the time you did a windows update. The latter of the two is probably the truth. No need to blame MS for that. But believe what you want...
      cybr2th1
      • RE: Attack code posted for new IE zero-day vulnerability

        @cybr2th@... Give me a break. I am not hear to a portion blame but pointing out a problem that I had with the latest MS Windows updates and the faults with their QA of their updates.
        FYI my Norton 360 is valid and still has 171 days to expiration. I am not here to debate the merits or demerits of MS.. How can you ascertain the truth if you have not checked out the issue I have...
        afcbuck
      • One problem with one individual does not make a problem with their QA.

        @afcbuck: <i>I am not hear to a portion blame but pointing out a problem that I had with the latest MS Windows updates and the faults with their QA of their updates.</i><br><br>Their updates are no more likely to cause problems than any other vendors. Given the diverse hardware Windows runs on and the software that runs on Windows they do an excellent job of ensuring patches don't break things. Still there are bound to be some exception cases where problems exist.<br><br>FWIW the patches installed fine without problem on my work PC which runs McAfee (another PoS do everything resource hog like Norton). No problems to report. Same with my home PCs and that of my GF and her kids (though my home PCs don't run any A/V and their PCs run MSE).
        ye
      • Once again you hit the nail on the head

        @ye...

        "[i]Given the diverse hardware Windows runs on...[/i] Yeah, that's alot of hardware with many vendors and lots potential for crap drivers and utilities to manage them. Once again a very good reason to use a Mac where there is a much smaller set of hardware compatibility.

        If you want the freedom to choose any hardware vendor or peripheral from China or India that claims to have a driver for windows, then you get to have the risk that goes with that.

        BTW - Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once. The third time I got smart and installed Linux over Windows instead.
        jacarter3
      • RE: Attack code posted for new IE zero-day vulnerability

        @ Jcarter3
        "Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once"

        You are incredibly irresponsible! You are also explaining experiences the majority of people DON'T have with Windows update. I have been managing enterprise IT for about 15 years and I can say with complete confidence that in all of those years, I maybe had 3 updates over hundreds of computers and servers cause problems. This is not only a testament to Microsoft's ability to provide quality, but a testament to my ability to properly manage an infrastructure. Now what are you doing to your PC that would cause such problems?
        djmik