ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

IE7 XML parsing zero day exploited in the wild

By | December 10, 2008, 5:57pm PST

Summary: A couple of hours ago, two working proof of concept exploits for MS Internet Explorer XML Parsing Remote Buffer Overflow were posted at Milw0rm, with international hacking communities quickly catching up and starting to use it. The second PoC also works on Vista, in particular both exploits were tested on Vista SP1, Explorer 7.0.6001.18000, Vista [...]

MS Internet Explorer XML Parsing Remote Buffer OverflowA couple of hours ago, two working proof of concept exploits for MS Internet Explorer XML Parsing Remote Buffer Overflow were posted at Milw0rm, with international hacking communities quickly catching up and starting to use it. The second PoC also works on Vista, in particular both exploits were tested on Vista SP1, Explorer 7.0.6001.18000, Vista SP0 Explorer 7.0.6000.16386, and also on WinXP SP3, Explorer 7.0.5730.13.

And if that’s not enough, Microsoft is also investigating a second zero day affecting the WordPad text converter according to an advisory issued yesterday.

Not surprisingly, the IE7 exploit is already in circulation, with the Shadowserver Foundation keeping track of malicious domains using it, the majority of which still remain active. Despite the fact the in its current form the exploit code is easy to spot through generic detection for potentially malicious shellcode, sampling several of the domains using it reveals that the Chinese hackers using it are also taking advantage of several different client-side vulnerabilities in order to increase the chances of successful infection. Typical exploits structure looks like the following :

baidu .bbtu01. cn/c0x.htm
baidu. bbtu01. cn/ie07.htm
baidu. bbtu01. cn/104.htm
baidu. bbtu01. cn/a0s.htm
baidu. bbtu01. cn/c0e.htm
baidu. bbtu01. cn/lzz.htm
baidu. bbtu01. cn/Bf0yy.htm
baidu. bbtu01. cn/rea0l10.htm
baidu. bbtu01. cn/real11.htm

Despite that the malicious domains remain injected at legitimate Chinese sites and forums as iFrames only, this could easily change so that more legitimate international sites start getting targeted. What are they after this time? Passwords for popular online games in China.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Internet Explorer 7, XML, Windows XP, Windows Vista, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
10
Comments
Add Your Opinion

Join the conversation!

Just In

RE: IE7 XML parsing zero day exploited in the wild
birumut Updated - 5th May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
Thank goodness for Protected Mode
PB_z 10th Dec 2008
Flaws such as this can easily be present in any browser. Good thing that IE on Vista runs in Protected Mode so that the exploit can't do much damage.

Not sure if Chrome's security model includes an equivalent of protected mode. If not, it and the other browsers would be smart to do so.
0 Votes
+ -
Let's Cut to the Chase
DannyO_0x98 11th Dec 2008
I'm not clear on something. I thought IE7 on Vista SP0/SP1
runs in protected mode by default and yet, above, we see
that the exploit works on those configurations. Is it that
this write-up is incomplete (as was the first which
overlooked mentioning configurations other than XP/SP2)
and doesn't mention some disabling of IE7's protected
mode as a necessary condition for the exploit? Or, since
this is related to xml parsing, does the exploit use parts of
the operating system outside of the protected zone and
allows the exploit to leak?

Please, no supposed to bes, no speculation, no
competition FUD, and no blather from the advocates.

It's been three days, and it's about time the journalists who
report on security issues here spelled out exactly how the
exploit works, what are the conditions necessary for the
exploit and what are the workarounds.
0 Votes
+ -
Protected Mode does not prevent code from running.
ye 11th Dec 2008
What it does is limit what the code can do. With Protected Mode enabled the browser restricts code to privileges lower than that of a standard user. Thus the code has very limited ability to write/modify/delete (primarily these actions are restricted to temporary files) files/system settings. Thus it is very unlikely a system will become compromised with protected mode.
0 Votes
+ -
Just About to Move On
DannyO_0x98 12th Dec 2008
I don't want to be one of these people who act dense so as to
flamebaith, so I'll quit here. I'm still seeing "probably" and
"shoulds" and "limits impact," and wonder why someone
won't flat out say IE7 in protected mode on Vista SP1 means
one is safe from this exploit.

Is Windows IE7 protected mode as sealed off from the
operating system as a BSD jail?
0 Votes
+ -
yet another reason to keep the UAC enabled
qmlscycrajg 10th Dec 2008
"Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability"
http://www.microsoft.com/technet/security/advisory/961051.mspx
0 Votes
+ -
I think i'll take the paranoid approach..
JT82 Updated - 11th Dec 2008
and use a layered suggestion. Enabled both DEP on the browser and bring the internet security zone to high..keep the nasties out. Hell, probably disabled ActiveX completely - I dont really use it...
0 Votes
+ -
RE: IE7 XML parsing zero day exploited in the wild
Loverock Davidson 11th Dec 2008
Its only a proof of concept!

PoC != wild! That has been explained to use many times in the talkbacks. Again, no need to worry.
0 Votes
+ -
Did you miss this sentence?
msalzberg 11th Dec 2008
"Not surprisingly, the IE7 exploit is already in circulation,
with the Shadowserver Foundation keeping track of malicious
domains using it, the majority of which still remain active"
0 Votes
+ -
Don't mind....
todbran@... 12th Dec 2008
Loverock. He misses alot of things because he is in love with Bill Gates.
0 Votes
+ -
RE: IE7 XML parsing zero day exploited in the wild
birumut Updated - 5th May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix