IE zero-day flaw leaks out; Exploit code published

IE zero-day flaw leaks out; Exploit code published

Summary: Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code

SHARE:
45

Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code. The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.

[ SEE: New Microsoft IE zero-day flaw under attack ]

The latest developments come less than 24 hours after Microsoft confirmed the flaw was being used in targeted attacks and puts the company under added pressure to ship an emergency, out-of-band patch as soon as possible.

Moshe Ben Abu, the Israeli researcher who created the exploit, said he found information on where to find the malicious hosts from a McAfee blog post that discussed the targeted attacks.

Here's the gist of the McAfee post that gave Ben Abu a place to find the zero-day malware:

follow Ryan Naraine on twitter

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

"It just took a few minutes of digging in that host to find the exploit," Ben Abu said in an e-mail exchange.   He said it took about 10 minutes to de-obfuscate the exploit and pinpoint the underlying vulnerability.

"I did some basic debugging to the vulnerability on found the vulnerable code within iepeers.dll," he added.

Metasploit's HD Moore confirmed the exploit code is somewhat reliable. "It's 50% reliable on XP SP2/SP3 with IE7 (no DEP). A little better with IE6," Moore said in an e-mail.

Microsoft has already activated its security response process and issued a pre-patch advisory with mitigations but the availability of public exploit code is sure to light a fire and raise the likelihood of an emergency update before next month's Patch Tuesday.

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • Update to IE8

    Even if you don't use IE as your primary browser, you should update to IE8.
    Tom12Tom
    • If all the IE6/7 users took your advice..

      ..they would effectively DDoS Windows Update for the next month or so.

      Products have that much inertia they need to be fixed, not replaced with new ones from scratch every time a problem is found in them.


      Edit: bad typo, bad!
      AzuMao
      • If that were the case...

        ... then IE wouldn't be at version 8... It'd be at oh... About version 6759...

        But you're right. IE 6 has inertia. A LOT of inertia. That's what happens when people are sticking with almost 10 year old technology.

        Unfortunately, not everyone has the freedom to upgrade. Windows 2000 users are plain S.O.L. when it comes to an IE browser newer than 6.x. Some need to go to web sites that can't or won't update their code so they're stuck with it.

        Oddly enough, however, Firefox seems to do exactly what you suggest Microsoft NOT do. They release a new point revision every time they patch a given version. 3.5.0 becomes 3.5.1 etc...
        Wolfie2K3
        • Two wrongs don't make a right.

          Why don't they just use diff?
          It's been working since the early 1970s.
          AzuMao
        • and that works just great

          I've been watching firefox get slower and slower
          with every revision. I don't even use firefox on
          windows anymore except for work, because i need it
          for testing. Still use Iceweasel when i'm on
          Debian though
          TheLightcosine
          • Probably ads..

            I have NoScript and AdBlock Plus on my Vista x64 install and some pages load slower on IE 8 32bit.

            I still use FireFox even though it has one serious vulnerability right now.
            JCitizen
  • Just once, I want to see the hacker caught

    and beat to death in public.
    No_Ax_to_Grind
    • Murder is your solution

      Well you find him and murder him then you can get the chair and join him in the after life where you can beat him again.
      voska1
      • Governments "murder" daily.

        I see drag his sorry arse into the street and let the beating begin!
        No_Ax_to_Grind
        • Let's Drag Yours For Every Failed Prediction

          You'd die a thousand times.
          itanalyst2
          • Nice try little fella, now go hide in your trunk.

            Bawahahahahaha
            No_Ax_to_Grind
          • Nice Try Don, Care To Be Original?

            Poor fat little girl...you're luck you didn't show up...never know who else might be waiting for you.
            itanalyst2
      • RE: IE zero-day flaw leaks out; Exploit code published

        @voska1

        This awfully <a href="http://www.shoppharmacycounter.com/t-phentermine.aspx">Phentermine</a> isn't be able to you do again so as to? You meditate it is.
        Phentermine
    • Is That What You Did To Your Publisher?

      After your Power Point book bombed and was beat out by My Pet Goat?
      itanalyst2
      • Advice from a coward that hides in his car trunk?

        Buwahahahahaha....
        No_Ax_to_Grind
        • Response From A Fat Loser Author Who Doesn't Show Up?

          Too busy peddling that Power Point book Donny boy?

          BUWAHAHAHAHAHAH!!!
          itanalyst2
          • The only thing worse than spam...

            is you two duking it out! Please get over it!! X-(
            JCitizen
          • Don't listen to JCitizen!

            Encore! <a>[i][u][b]ENCORE!!![/b][/u][/i]</a>
            AzuMao
          • Next we'll be doing bread and circuses...

            Bleah!
            JCitizen
    • Please excuse me..

      ..while I hack for a while using your computer.

      Also, pray to God you've never sinned, unless you're afraid of heights and get cold easy.
      AzuMao