Attack code posted for new IE zero-day vulnerability
Summary: Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.
Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.
Exploit code for the vulnerability has been added to the Metasploit tool and a video has been posted to provide a demo of the severity.
Here's a brief description of the issue from VUPEN:
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the "mshtml.dll" library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various "@import" rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.
VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.
Metasploit's exploit code provides some more information:
This module exploits a memory corruption vulnerability within Microsoft HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution.
According to the video posted by Abysssec Security Research, the exploit bypasses two key Windows anti-exploit mitigations (DEP and ASLR) without the use of any third party extensions.
There are reports that the vulnerability was first published on a Chinese security blog.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Well another big hole in the heart of Windows
LOL
Not worried
And you're absolutely sure
that a vulnerability found in all prior Windows and IE versions, based on MS HTML parser code "mshtml", has been updated in IE9? Just because they didn't mention a beta version does not preclude that distinct possibility.
RE: Not worried
I will go one better than that!
Using Firefox 4 on Linux.
You <b>know</b> I am not worried.
You're a good man
:)
RE: Attack code posted for new IE zero-day vulnerability
Complete control of the system? Unlikely.
RE: Attack code posted for new IE zero-day vulnerability
Microsoft recommends running as non-privileged, which I would recommend regardless of what browser you use.
The biggest exploit is sitting in the chair.
That's been my advice for a long time.
All too often though it is never recommended by security "experts". It was completely lacking in this article.
So combine this exploit with a privilege escalation bug!
So if you're resting on your laurels thinking that privileged mode will save you, <b>think again</b>.
Such an attack is much more complex.
And there was me thinking blended attacks are becoming "the norm".
<i>"As for relying on Protected Mode to protect me I'll continue to do so. What other options do I have?"</i>
Such an obviously loaded question smells like Holiday troll-bait to me... I'll pass, thanks ;-)
We don't know.
Protected Mode creates a fairly restricted write environment. It's likely to be more secure than just privileged versus non-privileged accounts.
Regardless it is possible. But given there are no alternatives, at least you didn't provide any, what are we supposed to do?
[i]Such an obviously loaded question smells like Holiday troll-bait to me... I'll pass, thanks [/i]
IOW you have no answer. You could have just said as much.
You claim not even to run anti-virus software, Ye.
The attack is real...
I final figured it out myself.. Uninstall the lastest MS Windows updates, set my Windows update to off.. And at least now I can access the internet & my email system again..
Microsoft is losing it.. I am now going to get an Apple IPad ...
As all in alll I have lost a whole week of productivity...
RE: Attack code posted for new IE zero-day vulnerability
Akhams razor dude. Either MS disabled your norton and expired it through a WINDOWS update or your norton simply expired around the time you did a windows update. The latter of the two is probably the truth. No need to blame MS for that. But believe what you want...
RE: Attack code posted for new IE zero-day vulnerability
FYI my Norton 360 is valid and still has 171 days to expiration. I am not here to debate the merits or demerits of MS.. How can you ascertain the truth if you have not checked out the issue I have...
One problem with one individual does not make a problem with their QA.
Once again you hit the nail on the head
"[i]Given the diverse hardware Windows runs on...[/i] Yeah, that's alot of hardware with many vendors and lots potential for crap drivers and utilities to manage them. Once again a very good reason to use a Mac where there is a much smaller set of hardware compatibility.
If you want the freedom to choose any hardware vendor or peripheral from China or India that claims to have a driver for windows, then you get to have the risk that goes with that.
BTW - Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once. The third time I got smart and installed Linux over Windows instead.
RE: Attack code posted for new IE zero-day vulnerability
"Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once"
You are incredibly irresponsible! You are also explaining experiences the majority of people DON'T have with Windows update. I have been managing enterprise IT for about 15 years and I can say with complete confidence that in all of those years, I maybe had 3 updates over hundreds of computers and servers cause problems. This is not only a testament to Microsoft's ability to provide quality, but a testament to my ability to properly manage an infrastructure. Now what are you doing to your PC that would cause such problems?