Details of IE zero-day exploit published

Cisco says that the attack seems to have begun on April 24 with a series of phishing campaigns.

Now that the IE zero day which caused so much panic over the last several days  has been patched , researchers are much more free to discuss details of the attack.

Cisco's Snort IPS network shows that their customers began on April 24 with several phishing attacks.

The attack relies on getting a user to visit a web site with the malicious code and this was the purpose of the phishing emails. Cisco found these subject lines used in the attacks:

  • Welcome to Projectmates!
  • Refinance Report
  • What's ahead for Senior Care M&A
  • UPDATED GALLERY for 2014 Calendar Submissions

These domains were used to host the malicious code:


The malicious JavaScript on the web page was relatively unobfuscated, according to the researchers. There was one function named oil(), which was not called within the JavaScript. This call was, in fact, initiated by ActionScript in the associated Flash SWF file. The main point of the ActionScript is to "spray the heap," which means to perform a series of large allocations of memory objects and to fill them with particular values, generally "NOP" instructions. This is also where the shellcode is, which is the program that takes control after the program exploits the actual Internet Explorer vulnerability.

Once the heap is prepared, the SWF calls back into the web page at oil() with a special string as a parameter. oil() then invokes the exploit by calling eval() with the string passed from the SWF. This causes a crash which eventually executes the shell code.

There have been several Flash exploits with heap sprays recently. It may be that the attackers brought the Flash object into the picture because they had more trouble getting the exploit to work in IE.