Details of IE zero-day exploit published

Details of IE zero-day exploit published

Summary: Cisco says that the attack seems to have begun on April 24 with a series of phishing campaigns.

SHARE:

Now that the IE zero day which caused so much panic over the last several days has been patched, researchers are much more free to discuss details of the attack.

Cisco's Snort IPS network shows that their customers began on April 24 with several phishing attacks.

The attack relies on getting a user to visit a web site with the malicious code and this was the purpose of the phishing emails. Cisco found these subject lines used in the attacks:

  • Welcome to Projectmates!
  • Refinance Report
  • What's ahead for Senior Care M&A
  • UPDATED GALLERY for 2014 Calendar Submissions

These domains were used to host the malicious code:

  • profile.sweeneyphotos.com
  • web.neonbilisim.com
  • web.usamultimeters.com
  • inform.bedircati.com

The malicious JavaScript on the web page was relatively unobfuscated, according to the researchers. There was one function named oil(), which was not called within the JavaScript. This call was, in fact, initiated by ActionScript in the associated Flash SWF file. The main point of the ActionScript is to "spray the heap," which means to perform a series of large allocations of memory objects and to fill them with particular values, generally "NOP" instructions. This is also where the shellcode is, which is the program that takes control after the program exploits the actual Internet Explorer vulnerability.

Once the heap is prepared, the SWF calls back into the web page at oil() with a special string as a parameter. oil() then invokes the exploit by calling eval() with the string passed from the SWF. This causes a crash which eventually executes the shell code.

There have been several Flash exploits with heap sprays recently. It may be that the attackers brought the Flash object into the picture because they had more trouble getting the exploit to work in IE.

Topics: Security, Microsoft, Leadership

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Are other windows apps also affected by this bug?

    I do not use Internet Explorer, but I use several third party apps that host MSHTML browser control - the same as used by Internet Explorer. But all articles about this bug talk only about vulnerability in Internet Explorer and not in third party apps. Do you know whether this problem is limited to IE only or does it affect all windows apps that use MSHTML (there are a lot of them). And was this problem fixed for all apps or only for IE?
    jhnlmn
    • Focus was only on IE

      Far as what I have read on Microsoft TechNet and elsewhere I did not read anything beyond a IE issues.
      JohnnyES-25227553276394558534412264934521
    • Most were probably safe

      Most HTML rendering by apps other than web browsers doesn't involve downloading flash from untrusted sources, so even if they were technically vulnerable, they were probably safe. It also depends on the security settings for apps, which is something I don't know about. If the EPM settings are used for apps that host MSHTML, then they were safe. At any rate, the patch would have closed the hole in any app that hosts MSHTML.
      WilErz