ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

IE zero-day flaw leaks out; Exploit code published

By | March 10, 2010, 3:22pm PST

Summary: Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code

Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code. The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.

[ SEE: New Microsoft IE zero-day flaw under attack ]

The latest developments come less than 24 hours after Microsoft confirmed the flaw was being used in targeted attacks and puts the company under added pressure to ship an emergency, out-of-band patch as soon as possible.

Moshe Ben Abu, the Israeli researcher who created the exploit, said he found information on where to find the malicious hosts from a McAfee blog post that discussed the targeted attacks.

Here’s the gist of the McAfee post that gave Ben Abu a place to find the zero-day malware:

follow Ryan Naraine on twitter

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

“It just took a few minutes of digging in that host to find the exploit,” Ben Abu said in an e-mail exchange.   He said it took about 10 minutes to de-obfuscate the exploit and pinpoint the underlying vulnerability.

“I did some basic debugging to the vulnerability on found the vulnerable code within iepeers.dll,” he added.

Metasploit’s HD Moore confirmed the exploit code is somewhat reliable. “It’s 50% reliable on XP SP2/SP3 with IE7 (no DEP). A little better with IE6,” Moore said in an e-mail.

Microsoft has already activated its security response process and issued a pre-patch advisory with mitigations but the availability of public exploit code is sure to light a fire and raise the likelihood of an emergency update before next month’s Patch Tuesday.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

McAfee Inc., Exploit Code, Microsoft Internet Explorer, Exploit, Zero-day Bug, Attack, Metasploit, Notes.exe, Web Browsers, Security, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

45
Comments
Add Your Opinion

Join the conversation!

Just In

RE: IE zero-day flaw leaks out; Exploit code published
Phentermine 22nd Aug
@voska1

This awfully Phentermine isn't be able to you do again so as to? You meditate it is.
View in thread
0 Votes
+ -
Update to IE8
Tom12Tom 10th Mar 2010
Even if you don't use IE as your primary browser, you should update to IE8.
0 Votes
+ -
If all the IE6/7 users took your advice..
AzuMao Updated - 10th Mar 2010
..they would effectively DDoS Windows Update for the next month or so.

Products have that much inertia they need to be fixed, not replaced with new ones from scratch every time a problem is found in them.


Edit: bad typo, bad!
0 Votes
+ -
If that were the case...
Wolfie2K3 10th Mar 2010
... then IE wouldn't be at version 8... It'd be at oh... About version 6759...

But you're right. IE 6 has inertia. A LOT of inertia. That's what happens when people are sticking with almost 10 year old technology.

Unfortunately, not everyone has the freedom to upgrade. Windows 2000 users are plain S.O.L. when it comes to an IE browser newer than 6.x. Some need to go to web sites that can't or won't update their code so they're stuck with it.

Oddly enough, however, Firefox seems to do exactly what you suggest Microsoft NOT do. They release a new point revision every time they patch a given version. 3.5.0 becomes 3.5.1 etc...
0 Votes
+ -
Two wrongs don't make a right.
AzuMao 10th Mar 2010
Why don't they just use diff?
It's been working since the early 1970s.
0 Votes
+ -
and that works just great
TheLightcosine Updated - 11th Mar 2010
I've been watching firefox get slower and slower
with every revision. I don't even use firefox on
windows anymore except for work, because i need it
for testing. Still use Iceweasel when i'm on
Debian though
0 Votes
+ -
Probably ads..
JCitizen 11th Mar 2010
I have NoScript and AdBlock Plus on my Vista x64 install and some pages load slower on IE 8 32bit.

I still use FireFox even though it has one serious vulnerability right now.
0 Votes
+ -
Just once, I want to see the hacker caught
No_Ax_to_Grind 11th Mar 2010
and beat to death in public.
0 Votes
+ -
Murder is your solution
voska1 11th Mar 2010
Well you find him and murder him then you can get the chair and join him in the after life where you can beat him again.
0 Votes
+ -
Governments "murder" daily.
No_Ax_to_Grind 11th Mar 2010
I see drag his sorry arse into the street and let the beating begin!
  • Flagged
0 Votes
+ -
Let's Drag Yours For Every Failed Prediction
itanalyst2@... 11th Mar 2010
You'd die a thousand times.
0 Votes
+ -
Nice try little fella, now go hide in your trunk.
No_Ax_to_Grind 11th Mar 2010
Bawahahahahaha
  • Flagged
0 Votes
+ -
Nice Try Don, Care To Be Original?
itanalyst2@... 11th Mar 2010
Poor fat little girl...you're luck you didn't show up...never know who else might be waiting for you.
  • Flagged
0 Votes
+ -
RE: IE zero-day flaw leaks out; Exploit code published
Phentermine 22nd Aug
@voska1

This awfully Phentermine isn't be able to you do again so as to? You meditate it is.
0 Votes
+ -
Is That What You Did To Your Publisher?
itanalyst2@... 11th Mar 2010
After your Power Point book bombed and was beat out by My Pet Goat?
0 Votes
+ -
Advice from a coward that hides in his car trunk?
No_Ax_to_Grind 11th Mar 2010
Buwahahahahaha....
  • Flagged
0 Votes
+ -
Response From A Fat Loser Author Who Doesn't Show Up?
itanalyst2@... 11th Mar 2010
Too busy peddling that Power Point book Donny boy?

BUWAHAHAHAHAHAH!!!
  • Flagged
0 Votes
+ -
The only thing worse than spam...
JCitizen 11th Mar 2010
is you two duking it out! Please get over it!! angry
  • Flagged
0 Votes
+ -
Don't listen to JCitizen!
AzuMao 11th Mar 2010
Encore! ENCORE!!!
  • Flagged
0 Votes
+ -
Next we'll be doing bread and circuses...
JCitizen 12th Mar 2010
Bleah!
0 Votes
+ -
Please excuse me..
AzuMao 11th Mar 2010
..while I hack for a while using your computer.

Also, pray to God you've never sinned, unless you're afraid of heights and get cold easy.
0 Votes
+ -
Not as big a goof as I thought by McAfee?
Robert Carnegie 2009 11th Mar 2010
If I follow the story, there already WAS an exploit that they were reporting on - someone was using this for hacking. The Israeli guy just cloned the exploit that was already out there making people unhappy.
0 Votes
+ -
Um, no
sysop-dr 11th Mar 2010
The isreali guy confirmed the exploit and that it was already being used in the wild. He did not create a new exploit but proved there was one out there and that Microsoft needs to get off it's butt and put out an out of phase update.

No-Axe, maybe not beaten to death, but yes hunt them down and prosecute them to the fullest extent of the law. And if the government can't get their hands on the guy to prosecute it should put them on trial inabsentia and if they obtain a conviction let those who can do such things do as we wish with the convicted criminal on-line. Sort of like deputising people and letting them go on a posse or bounty hunters. I think commisions for privateers are in order, don't you?
Open season on these guys who think they are untouchable. And if the government are able to obtain a conviction on any government or organisation that backs any such criminal let us at them as well.
We have to do something, this is getting out of hand.
I wonder if the right to bear arms also applies to on-line equivalents to arms.
0 Votes
+ -
Spam - Really!!??
Chipv@... Updated - 11th Mar 2010
Why do we always have some Spammer adding crap to these blogs.

Ban maidi2555 for posted this Drivvle
0 Votes
+ -
What should really bother you ....
TG2 11th Mar 2010
What should really bother you about those types.. is that some of the accounts are less than 3 or 4 days old.. but the ENTIRE time they've been members (ie. all 4 days) they've done NOTHING but spam, and all of the posts of theirs you check, are marked as spam, and yet they are still allowed to post..

Its like the "mark as spam" isn't being taken serious from moment one. My other guess is that since someone's already marked a message as spam, and many are like this ... that it only gives one flag per spam marking.. and since only the first person to mark as spam can do so.. they don't get 20 or 30 of us marking a message as spam... so the user has to post more messages, and have those marked as spam, to bring about attention to them..

neither system is good.. and obviously they should work to come up with a better system.. perhaps make it easier to get to a moderator, easier to track a user, etc..
0 Votes
+ -
Are we sure?..
JCitizen 11th Mar 2010
that someone isn't getting paid under the table for this spam. I know it seems unlikely, but you never know with CBS?!
0 Votes
+ -
No Surprise
itanalyst2@... Updated - 11th Mar 2010
It's IE....what do you expect?
0 Votes
+ -
Not "IE". It's IE 6 & IE 7. Are there no vulns in outdated non-MS browsers?
Qbt Updated - 11th Mar 2010
.
0 Votes
+ -
But we aren't talking about outdated browsers here.
AzuMao 11th Mar 2010
This vulnerability exists in up-to-date, fully-patched versions of IE 6 and IE 7.

Speaking of IE, you know how when you want help with something in Windows you press F1? Don't do that in up-to-date versions of IE 8, or you'll get instantly hacked.
0 Votes
+ -
Absolutely not true!! I've used the F1 key and never gotten hacked. nt
windozefreak 11th Mar 2010
nt
0 Votes
+ -
Then you weren't using IE8.
AzuMao 11th Mar 2010
Or the hack didn't turn your screen into a fucking Jolly Roger and play scary music.

Or nothing on whatever page you were at took advantage of the exploit.
0 Votes
+ -
only works if already infected
optyk 12th Mar 2010
that only works if your computer is already infected. if your not infected it only brings up windows help and support (in win7).
0 Votes
+ -
If by "infected" you mean "has Windows and IE8 installed", true.
AzuMao 12th Mar 2010
Look up IE8 F1 vulnerability. It's still not fixed.

It can be used to install malware, but doesn't require any already existing (other than Windows and IE8).
0 Votes
+ -
You've also covered your eyes
still not nice 11th Mar 2010
...and can't see anything.
0 Votes
+ -
Like Sgt Schultz...
JCitizen 12th Mar 2010
I see nothing! wink
0 Votes
+ -
I expect not to be hacked, regardless of os! nt
windozefreak 11th Mar 2010
nt
0 Votes
+ -
MS IE SUCKS !
osel091 11th Mar 2010
ie7 anyways sucks i have'nt used it past yrs ..firefox is the best available today..
0 Votes
+ -
Like you really know
hantoyo1@... 11th Mar 2010
I wonder why I have often in recent months had to return to using IE when Firefox 3.5 and 3.4 decided to quit working. IE worked GREAT but Firefox took a major vacation... Presently working with FF 3.6 but I can't say that is enough by itself to guarantee that the same won't happen again. Are you qualified to tell me that it won't?????
0 Votes
+ -
Like you really know
AzuMao 11th Mar 2010
I wonder why I have often in recent months had to
return to using Firefox when IE 8 and IE 7 decided
to not install on non-Windows OSs. Firefox worked
GREAT but IE won't even install... Presently
working with WINE but I can't say that is enough
by itself to guarantee that the same won't happen
again. Are you qualified to tell me that it
won't?????
0 Votes
+ -
Why waste WINE
still not nice 11th Mar 2010
on such tripe?
0 Votes
+ -
Touche.
AzuMao 12th Mar 2010
0 Votes
+ -
sounds like when zone alarm was preventing all browsers from....
dougogd@... Updated - 13th Mar 2010
connecting to the internet.The only one that did connect was internet explorer. The response i got from zone labs was _________.The didn't respond at all and ignored the many complaints they received daily. edit spelling.
0 Votes
+ -
RE: IE zero-day flaw leaks out; Exploit code published
mswift@... 11th Mar 2010
Major ISPs should link IE6 and 7 users to the IE8 download site. Corporate types wedded to IE6 for in house intranet apps should whitelist their own sites and block everything else if they are not able or willing to get current. We don't surf from XP machines here anymore at work. Win7 64 with CPUs having ASLR and DEP running IE 8 are as secure as anything else out there.
0 Votes
+ -
Sorry, most people don't use Windows Vista or Windows 7.
AzuMao 11th Mar 2010
And your last statement is patently false.
Even an extremely simple utility like telnet can
do everything IE 8 on Win7 x64 with ASLR and DEP
can do, far more securely. Albeit more painfully.
0 Votes
+ -
RE: IE zero-day flaw leaks out; Exploit code published
Prefect23 11th Mar 2010
Blah blah blah, IE sucks, blah blah blah, and the drumbeat continues.

Why is McAfee eating any part of this?

praetorianprefect.com/archives/2010/03/iepeers-a-new-internet-explorer-zero-day-vulnerability/
0 Votes
+ -
RE: IE zero-day flaw leaks out; Exploit code published
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix