Java zero-day leads to Internet Explorer zero-day

Java zero-day leads to Internet Explorer zero-day

Summary: Following the trail of attackers exploiting vulnerabilities in Java led one security researcher to discover a new zero-day vulnerability in Internet Explorer.


While looking around a compromised server that was being used to exploit Java vulnerabilities, a security researcher stumbled upon another exploit that he claims affects fully patched versions of Microsoft Internet Explorer 7, 8 and 9.

Eric Romang found four files on the server: an executable, a Flash Player movie and two HTML files called exploit.html and protect.html

When users visit the exploit.html page, it loads the Flash movie, which in turn loads the other HTML page, protect.html. Together, they help drop the executable on to the victim's computer. At this point, attackers have everything they need to drop whatever applications they like on the victim's machine, whether it is to join a botnet or conduct attacks. In this case, the dropper executable installs another program when the victim next logs in.

Romang discussed the zero-day with other security researchers, who also came to the same conclusion that this was a vulnerability in Internet Explorer.

However, Romang's presence has not gone unnoticed by those behind the exploit. Shortly after Romang discovered the zero-day, the exploit authors removed the files from the server, replacing them with a text file containing Romang's Twitter handle, "eromang". They also removed the previous Java exploit that was on the server.

The vulnerability has also been picked up by developers working on the Metasploit exploit framework, and an early version of a module exploiting the zero-day has already been created.

Updated at 8.57 a.m. on Tuesday September 18, 2012 AEST (3:57 p.m. on Monday September 17, 2012 PT): Clarified that IE9 is vulnerable.

Topics: Security, Malware, Microsoft, Oracle

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Java zero-day leads to Internet Explorer zero-day

    A zero-day vuln, O my.....
  • More info please

    So, is this an alert to a newly discovered vulnerability that requires action for people running IE7 or IE8? What if Java is fully updated to the current versions? The article seems overly brief.
    Han CNX
    • IE is the issue here.

      Hi Han,

      Java isn't the main issue here. There was a server that was previously used to serve up Java exploits and now it has been found to serve up a yet-as-unseen exploit related to Internet Explorer.

      The very nature of a zero-day means that there are no patches you can apply to IE7 and IE8 to eliminate the risks. At this point, I'd recommend using IE9 (or IE10 once a stable release is available) or pick a different browser.

      Hope that helps!

      Michael Lee (Mukimu)
      • Thanks!!

        Thank you, that's helpful. I'm mostly on Chrome, IE9 and IE10 on Win 8, but some clients are stuck on IE8.
        Han CNX
        • An update

          We've just found that IE9 is also vulnerable to attack and have reflected this in our article.

          I'd retract my previous recommendation and simply recommend picking a different browser.
          Michael Lee (Mukimu)
          • Always recommend any browser other than IE

            You should always recommend a different browser over IE. Inept at best, IE is the worst browser on the planet, and that was true even before this exploit.
  • Different browser good idea .

    I've been using Chrome and Firefox for Years now I have IEx32 and 64 but almost never use them. haven't used IE much since 6 .
    Keep whatever browser you have updated . Best to to disable Java (not javascrip two different things) .Or uninstall Java altogether unless you have a compelling need for it (some enterprise users do )
    preferred user
  • The Writer

    Seesms confused and/or not familiar with what he writes about. His headline says Java Exploit. Then he tries a sophomoronic explanation that flies like a lead balloon. He finally get to the purpose of his post: Don't use IE. Another wasted article????