Critical IE Attack Code Available

Tuesday, June 19, 2012 @ 10:06 AM gHale


Attackers are a nimble and agile breed because once they find out about a vulnerability, they pounce.

Take last week’s release of Microsoft’s Internet Explorer (IE) critical update. The company issued a warning that a working exploit code could release within 30 days.

RELATED STORIES
Microsoft FixIt For XML Hole
Attack: IE Zero Day
RTFs Fall Victim to APTs
Microsoft Adjusts as Duqu Lingers

Less than a week later, an exploit for one of the critical browser flaws is already in the freely available Metasploit point-and-click attack tool. Samples are already out to Contagio, a blog that tracks live malware attacks.

The addition of the exploit into Metasploit effectively means that cyber-criminals now have access to copy the attack code for use in exploit kit and other mass malware attacks.

The vulnerability is a remote code execution flaw in the way that Internet Explorer accesses a deleted object. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft confirmed the flaw is seeing use in “limited attacks” but the company has not updated its bulletin to make it clear that public exploit code is now widely available.

The live attacks started as far back at June 1, said researchers at security software provider, McAfee.

The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If the system does not have Java or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash.

On Windows XP, an attacker can exploit the vulnerability without any third-party component. We found the exploit tried to download and execute a binary from a remote server.

This vulnerability is entirely different from the unpatched IE vulnerability linked to “nation-state attackers” engaged in ongoing attacks against GMail/Windows users.



Leave a Reply

You must be logged in to post a comment.