New IE zero-day attack reported

New IE zero-day attack reported

Summary: Security company FireEye has found a zero-day exploit in Internet Explorer hosted on a breached web site in the United States. EMET may be used to mitigate.

SHARE:
TOPICS: Security
14

Researchers at network security company Fireeye have identified a zero-day exploit of Internet Explorer on a breached web site.

The specific exploit targets the English versions of Internet Explorer 7 and 8 on Windows XP and IE8 on Windows 7. FireEye says their analysis indicates that the vulnerability behind it affects IE 7, 8, 9 and 10.

FireEye does not say if IE10 on Windows 8 is affected or if they examined IE11.

There are two vulnerabilities involved in the attack: the first is an information disclosure vulnerability which the exploit uses to retrieve the timestamp from the PE headers of msvcrt.dll (part of the Microsoft Visual C++ runtime). The second is an IE out-of-bounds memory access vulnerability, used to achieve code execution.

Many versions of msvcrt.dll are in distribution, so the exploit sends the timestamp back to the attacker's server, which returns an out-of-bounds exploit specific to the user's version.

The exploit contains a "ROP chain" according to FireEye. ROP is Return-Oriented Programming, a technique generally blocked by Address Space Layout Randomization (ASLR), introduced in Windows Vista (a version of Windows unmentioned by FireEye). That the exploit works on Windows XP is no surprise, but for it to work on Windows 7 is more unusual.

The report doesn't say much about the payload, other than that it is large and multi-stage.

FireEye is in working with Microsoft on researching the attack. The report says that the vulnerability can be mitigated using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0, presumably focusing on msvcrt.dll. Be careful, as you will likely have multiple copies of multiple versions of this DLL on your system.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • New IE zero-day attack reported

    What's an IE?
    Rock Allan
    • it's a celebrated

      zero-day browser that runs exclusively on the (in)famous zero-day operating system :)
      eulampius
  • latin

    short for id est, meaning "that is"
    as opposed to eg (exempli gratia, meaning for "example")
    larry@...
    • nice answer...

      much more informative than Rock Allan.
      BitBanger_USA
  • info for blocking website

    Wouldn't it be useful to know the breached website so it can be blocked... perhaps they share this with the security community so that your browser security solutions can warn/block while breached.
    greywolf7
    • I'm sure they contacted the site admins too

      Perhaps they didn't want to tar the site too much. I assume they also contacted the site admins and perhaps the attack is down already. But there is still the issue of users who visited the site and may be compromised as a result. It's certainly the responsibility of the site to disclose that.
      larry@...
    • What?!

      You don't trust Microsoft's malicious site blocking in Internet Explorer?

      What I'd like is confirmation that the malware in question is being served at the watering hole site itself, rather than being served from other sites under the control of the malware miscreants (the usual case) where watering hole site users browsers get redirected to. The FireEye blog does indicate the former in quite strong language.

      I'd also like to know whether the malware miscreants have planted an iFrame with JavaScript at the watering hole site, independent of where the malware is served.
      Rabid Howler Monkey
  • Another day, another IE Attack - Yawn

    I have read about so many that I just stopped thinking about them. I use IE everyday since 2011 on my system and I have not been compromised. Microsoft will release a patch and everything will be ok.
    adacosta38
    • questionable policy...

      relying on others as the primary source of security for your system.
      sincerely hope you left out many details of how you protect yourself.
      BitBanger_USA
  • and everything will be OK

    a bit like sticking your thumb in the dyke.

    Others will use a many many times safer web browser.
    albionstreet
    • Would you people please stop pretending...

      ...using alternate software will magically solve all of computings security problems? The reality is there is not perfectly secure piece of software. There is no one better or more secure piece of software. Today they're all basically the same. So give this a rest.
      ye
      • Re: Would you people please stop pretending...

        Nothing running on Windows is secure, unless it does not use any OS provided API, which is tricky.

        But at least using non-Microsoft designed software reduces the attack surface.

        Of course, different software has different security model.
        danbi
        • What an idiotic response you made

          Nt
          ye
  • Infinitely Exploitable

    Is IE, and has been since day one of its existence.
    JustCallMeBC