ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Attack code posted for new IE zero-day vulnerability

By | December 22, 2010, 6:31am PST

Summary: Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.

Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.

Exploit code for the vulnerability has been added to the Metasploit tool and a video has been posted to provide a demo of the severity.

Here’s a brief description of the issue from VUPEN:follow Ryan Naraine on twitter

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various “@import” rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.

VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.

Metasploit’s exploit code provides some more information:

This module exploits a memory corruption vulnerability within Microsoft HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution.

According to the video posted by Abysssec Security Research, the exploit bypasses two key Windows anti-exploit mitigations (DEP and ASLR) without the use of any third party extensions.

There are reports that the vulnerability was first published on a Chinese security blog.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, Microsoft Internet Explorer, Ryan Naraine, Attack, CSS, Web Browsers, Microsoft Windows 7, Security, Scripting Languages, Software/Web Development, Web Development, Internet, Operating Systems, Microsoft Windows, Software

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

37
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Attack code posted for new IE zero-day vulnerability
914four 29th Dec 2010
I think he meant another OS with an alternate browser ye.
But that's just my opinion, I could be wrong.
View in thread
0 Votes
+ -
Well another big hole in the heart of Windows
jacarter3 22nd Dec 2010
I'm soooo surprised.

LOL
0 Votes
+ -
Not worried
cym104 22nd Dec 2010
Using IE9 here~
0 Votes
+ -
And you're absolutely sure
jacarter3 22nd Dec 2010
@cym104

that a vulnerability found in all prior Windows and IE versions, based on MS HTML parser code "mshtml", has been updated in IE9? Just because they didn't mention a beta version does not preclude that distinct possibility.
0 Votes
+ -
RE: Not worried
fatman65535 23rd Dec 2010
@cym104

I will go one better than that!

Using Firefox 4 on Linux.

You know I am not worried.
0 Votes
+ -
You're a good man
LTV10 23rd Dec 2010
Using Firefox 4 on Linux.

happy
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
pj48 22nd Dec 2010
Hmmmm. Just rolled back from IE9 to IE8 to fix a number of bugs in the beta, and I have had a couple of mshtml errors. Hope they come up with an out of band fix.
0 Votes
+ -
Complete control of the system? Unlikely.
ye 22nd Dec 2010
Protected Mode restricts malicious code from modifying the system and user files. Essentially the code is limited to "read only" status. And for those who are not using Protected Mode running as a non-privileged user would also limit what changes to the system the malicious code could do.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
VRSpock 22nd Dec 2010
@ye

Microsoft recommends running as non-privileged, which I would recommend regardless of what browser you use.

The biggest exploit is sitting in the chair.
0 Votes
+ -
That's been my advice for a long time.
ye 22nd Dec 2010
@VRSpock: Microsoft recommends running as non-privileged, which I would recommend regardless of what browser you use.

All too often though it is never recommended by security "experts". It was completely lacking in this article.
0 Votes
+ -
So combine this exploit with a privilege escalation bug!
Zogg 23rd Dec 2010
@ye It's not as if there has never been a privilege escalation bug found in Windows, and this exploit is already bypassing DEP and ASLR, which simplifies executing further exploits.

So if you're resting on your laurels thinking that privileged mode will save you, think again.
0 Votes
+ -
Such an attack is much more complex.
ye Updated - 23rd Dec 2010
@Zogg: It's not as if there has never been a privilege escalation bug found in Windows, and this exploit is already bypassing DEP and ASLR, which simplifies executing further exploits.

While it's possible it's unlikely. As for relying on Protected Mode to protect me I'll continue to do so. What other options do I have?
0 Votes
+ -
And there was me thinking blended attacks are becoming "the norm".
Zogg 23rd Dec 2010
@Ye More complex only implies " less likely", not "unlikely". And the point is whether two-exploit malware is less likely enough . Seeing as we've long since passed the point when malware was written by kiddies, I would argue not .

"As for relying on Protected Mode to protect me I'll continue to do so. What other options do I have?"

Such an obviously loaded question smells like Holiday troll-bait to me... I'll pass, thanks wink
0 Votes
+ -
We don't know.
ye 23rd Dec 2010
@Zogg: More complex only implies "less likely", not "unlikely". And the point is whether two-exploit malware is less likely enough. Seeing as we've long since passed the point when malware was written by kiddies, I would argue not.

Protected Mode creates a fairly restricted write environment. It's likely to be more secure than just privileged versus non-privileged accounts.

Regardless it is possible. But given there are no alternatives, at least you didn't provide any, what are we supposed to do?

Such an obviously loaded question smells like Holiday troll-bait to me... I'll pass, thanks

IOW you have no answer. You could have just said as much.
0 Votes
+ -
You claim not even to run anti-virus software, Ye.
Zogg 23rd Dec 2010
@Ye Why bother suggesting anything further when you can't be bothered even to use the solutions already presented? But this news won't be costing me any sleepless nights, and I'll leave you to ponder the "why" of that at your leisure.
0 Votes
+ -
The attack is real...
afcbuck 22nd Dec 2010
I followed MS guidelines of allowing Windows Update to run automatically what a blunder. The next thing I saw was my Norton's Firewall & Antivirus were all disabled, it said my Norton 360 subscription had expired. I got Norton online support but they could do nothing to fix it after 20 hrs of been online with them.
I final figured it out myself.. Uninstall the lastest MS Windows updates, set my Windows update to off.. And at least now I can access the internet & my email system again..
Microsoft is losing it.. I am now going to get an Apple IPad ...
As all in alll I have lost a whole week of productivity...
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
cybr2th@... 22nd Dec 2010
@andrewrukidi@...
Akhams razor dude. Either MS disabled your norton and expired it through a WINDOWS update or your norton simply expired around the time you did a windows update. The latter of the two is probably the truth. No need to blame MS for that. But believe what you want...
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
afcbuck 22nd Dec 2010
@cybr2th@... Give me a break. I am not hear to a portion blame but pointing out a problem that I had with the latest MS Windows updates and the faults with their QA of their updates.
FYI my Norton 360 is valid and still has 171 days to expiration. I am not here to debate the merits or demerits of MS.. How can you ascertain the truth if you have not checked out the issue I have...
0 Votes
+ -
One problem with one individual does not make a problem with their QA.
ye Updated - 23rd Dec 2010
@afcbuck: I am not hear to a portion blame but pointing out a problem that I had with the latest MS Windows updates and the faults with their QA of their updates.

Their updates are no more likely to cause problems than any other vendors. Given the diverse hardware Windows runs on and the software that runs on Windows they do an excellent job of ensuring patches don't break things. Still there are bound to be some exception cases where problems exist.

FWIW the patches installed fine without problem on my work PC which runs McAfee (another PoS do everything resource hog like Norton). No problems to report. Same with my home PCs and that of my GF and her kids (though my home PCs don't run any A/V and their PCs run MSE).
0 Votes
+ -
Once again you hit the nail on the head
jacarter3 23rd Dec 2010
@ye...

"Given the diverse hardware Windows runs on... Yeah, that's alot of hardware with many vendors and lots potential for crap drivers and utilities to manage them. Once again a very good reason to use a Mac where there is a much smaller set of hardware compatibility.

If you want the freedom to choose any hardware vendor or peripheral from China or India that claims to have a driver for windows, then you get to have the risk that goes with that.

BTW - Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once. The third time I got smart and installed Linux over Windows instead.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
djmik 23rd Dec 2010
@ Jcarter3
"Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once"

You are incredibly irresponsible! You are also explaining experiences the majority of people DON'T have with Windows update. I have been managing enterprise IT for about 15 years and I can say with complete confidence that in all of those years, I maybe had 3 updates over hundreds of computers and servers cause problems. This is not only a testament to Microsoft's ability to provide quality, but a testament to my ability to properly manage an infrastructure. Now what are you doing to your PC that would cause such problems?
0 Votes
+ -
"a testament to my ability to properly manage an infrastructure"
jacarter3 Updated - 23rd Dec 2010
@djmik

Wow aren't you completely full of yourself and other unmentionable substances. I guess you stupidly assumed that I do not update any of my computers. Another testament to your truly astounding competence. NOT!

I have had way many frequent and serious glitches with Windows update including a WGA false positive while they were still tweaking their algorithm. That one was the straw that motivated moving to Linux for one machine. I have never had ever had malware on any of my computers in the20+ years I have been using them. So I must be doing something right. That's probably my complete avoidance of using a malware magnet full of holes like IE except for Windows update.

And you claim to never having had a problem with Auto updates cannot possibly taken seriously. My bet is that even you do not permit Automatic updates in your "infrastructure." ALL IT folks I know never push an update until they have thoroughly evaluated it and waited for community feed back as well. Even for major holes in Windows, like the one reported here, they still do several test machines before releasing updates to production machines.

Be gone and take your chest beating hubris with you.
0 Votes
+ -
This assume only Windows users have had problems with patches.
ye 23rd Dec 2010
@ jacarter3: Yeah, that's alot of hardware with many vendors and lots potential for crap drivers and utilities to manage them. Once again a very good reason to use a Mac where there is a much smaller set of hardware compatibility.

Despite Apple's limited hardware and software availability (compared to Windows) their patches have caused users problems too. You act as if patch problems are unique to Microsoft / Windows. They're not.

BTW - Leaving Windows Update on Auto is absolutely the most stupid thing to ever do. Their poor quality assurance especially for their hurried and reactive patches for security blunders has cost me serious time at least three times including the need to completely re-install windows more than once. The third time I got smart and installed Linux over Windows instead.

You couldn't be more wrong. Problems caused by malware which takes advantage of an un-patched system are significantly more likely than a problem caused by a patch. And a patching problem doesn't send you personal information away. But next time I hear that your systems were infected with malware I'll keep this in mind.
0 Votes
+ -
Please detail these problems.
ye 23rd Dec 2010
@ jacarter3: I have had way many frequent and serious glitches with Windows update including a WGA false positive while they were still tweaking their algorithm.

Patching problems are rare. If you're having such difficulty with them then I suggest you, and not the patches, are the problem.

And you claim to never having had a problem with Auto updates cannot possibly taken seriously.

More so than people who have problems. If there were a problem with a patch we'd hear about it. The fact some people have an occasional problem doesn't mean there's a problem with the patch.
0 Votes
+ -
Ye, I am smarter than that
jacarter3 23rd Dec 2010
@ye

I'll not waste time conveying my real life issues as you never ever consider them and instead rely on you usual ad hominem attacks, like the one above. In fact, I cannot recall ever seeing you admit you're absolutely wrong and clueless and I doubt I ever will.

How many times have we heard about Windows Patch issues on this very site? I'll say it again so people with the capability of reasoned thought can hear it. Never ever enable Windows Automatic updates. You will eventually come to regret that choice. By all means keep you machine patched. Just review each one, search he net for issues, create a restore point or better back up your computer first, then apply the patches.

Just search Google for "Windows patch issues" and you will see you're blowing smoke. BTW don't use Bing. Try a third party search engine instead.
0 Votes
+ -
Then I don't believe you.
ye 23rd Dec 2010
@ jacarter3: I'll not waste time conveying my real life issues as you never ever consider them and instead rely on you usual ad hominem attacks, like the one above.

I think you're full of it.

In fact, I cannot recall ever seeing you admit you're absolutely wrong and clueless and I doubt I ever will.

That's because I'm neither. Should that happen you'll see me admit to it. Until then why would I admit to something I'm not?

How many times have we heard about Windows Patch issues on this very site?

Very few. But you tell me.

Never ever enable Windows Automatic updates. You will eventually come to regret that choice. By all means keep you machine patched. Just review each one, search he net for issues, create a restore point or better back up your computer first, then apply the patches.

Very poor advice. But then we expect that from you.

Just search Google for "Windows patch issues" and you will see you're blowing smoke. BTW don't use Bing. Try a third party search engine instead.

Strawman. No one said there never are any problems. We're saying they're greatly exaggerated. Like your "experiences".
0 Votes
+ -
"I think you're full of it."
jacarter3 23rd Dec 2010
@ye

Exactly the response I knew you would undoubtedly spew. Nothing I can ever write or post will ever convince you that people have many problems with Windows and Windows Updates - like the very one that started the thread we using. Did you read that?

You're an arrogant troll that will not respect or even consider what others say. Yet you keep pushing an argument much like the immature, over his head and scared little boy that keeps saying "I know you are but what am I." Apparently this gives a sense of superiority.

Grow up.

I've nothing more to say to you. Your mind is closed shut - probably necessary for you to remain veiled to your own issues of feeling inadequate.

And if my advice is "poor", then why is that the modus operandi that almost all large enterprise IT shops use?.

Have a Merry Christmas. I hope Santa brings you some maturity and self confidence this year.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
cybr2th@... 23rd Dec 2010
@afcbuck
You are using Norton 360. This in and of itself attests to your technical prowess.
"Give me a break. I am not hear to a portion blame but pointing out a problem that I had with the latest MS Windows updates and the faults with their QA of their updates. "
You blame MS for applying a patch that hoses your Norton, then complain about losing a week of productivity due to it. Sounds like you are blaming MS to me! Don't you think if their patch really did this, it would happen to say.....oh, MILLIONS and MILLIONS of users of Norton? That didn't happen. Your problem was isolated. The patch worked for 99.999% of users, but you had a supposed problem...so it MUST be MS's fault. LOL.
Please...just stop while you are behind...
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
tonymcs@... 23rd Dec 2010
@afcbuck

Boy there is one born every minute - I suppose that's what Norton counts on.

Next time you might consider using MSE and not listening to what Norton "support" says.

Biggest joke of all, you are going to get an iPad for productivity - good luck with that.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
twayner 24th Dec 2010
@afcbuck ... Wow! You have more serious problems than that zero day issue! Get a good backup schedule going. There is no excuse for losing a week's work these days.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
Jaytmoon Updated - 23rd Dec 2010
Maybe I'll try Safari till its fixed and sandbox IE to boot.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
cybr2th@... 23rd Dec 2010
@Jaytmoon
Yes, because Safari is so much more secure. lol!
0 Votes
+ -
Windows Vista/7 users are not at risk
directory Updated - 23rd Dec 2010
Mitigating Factors:
Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of currently known exploits. An attacker who successfully exploits this vulnerability would have very limited rights on the system.
0 Votes
+ -
Windows OS
Martmarty 23rd Dec 2010
@directory, what you're claiming in your subject is true.

But other OS users not using IE are also not at risk.
FF or Chrome in XP or other OS are just as good as running IE in protected mode in my opinion.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
james347 24th Dec 2010
Stop using IE, problem solved.
0 Votes
+ -
The Metasploit Module
AdamOnSecurity 26th Dec 2010
The IE exploit metasploit module is making a big splash, I discuss on my blog how it can be used by attackers to create botnets or infiltrate large corporate networks. The article can be found here http://adamonsecurity.com/?p=110 - I think you will find it interesting, all comments are welcome.

I look forward to hearing what you have to think
Adam
http://www.adamonsecurity.com
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
james347 29th Dec 2010
Every day is Zero Day for IE and Windows.
0 Votes
+ -
RE: Attack code posted for new IE zero-day vulnerability
914four 29th Dec 2010
I think he meant another OS with an alternate browser ye.
But that's just my opinion, I could be wrong.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix