Researchers up ante, create exploits for IE7, IE8

IE6 isn't the only version vulnerable; Microsoft's mitigations 'weak,' argues expert

Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's recommended defensive measure is turned on.

Microsoft, however, continues to urge users to upgrade from the eight-year-old IE6 -- the only version yet successfully attacked in the wild -- to the newer IE7 or IE8.

On Sunday, Dino Dai Zovi, a security vulnerability researcher and co-author of The Mac Hacker's Handbook, crafted attack code that exploits the unpatched vulnerability in IE7 when it's running on either Windows XP or Windows Vista.

"And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in," said Dai Zovi on Twitter.

"My version [of the exploit] implements a different heap manipulation algorithm," said Dai Zovi in a telephone interview today. "It works on IE7 on XP and Vista because the browser doesn't opt in on DEP [data execution prevention]."

In fact, said Dai Zovi, even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007. "IE still does not opt in on DEP for those" operating system editions, Dai Zovi noted.

Users can manually switch on DEP -- a move that Microsoft recommended in the security advisory it issued last week -- but without that tweak, most Windows users are open to attack, if not by the original exploit then by follow-ups like Dai Zovi's.

In fact, even DEP can be circumvented, a point the French firm Vupen Security made today. "While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."

Although Vupen has created an exploit that works on IE8 with DEP enabled, it's not releasing the attack code to the public; instead, it will offer the exploit only to legitimate security vendors for penetration testing purposes.

Because Vupen's means of bypassing DEP relies on JavaScript, the company recommended that users disable Active Scripting in IE until a patch is available.

There are other ways to do an end-around DEP, said Dai Zovi. "There have been techniques to totally bypass DEP in the public for almost two years now," he said, adding that he plans to discuss his own circumvention method during a presentation at the RSA Conference in early March.

When asked about Vupen's report of bypassing DEP, a Microsoft spokesman said the company is "investigating claims of the ability to bypass the Data Execution Prevention (DEP) feature in Internet Explorer." Microsoft will "take appropriate action" once it's looked into the matter, the spokesman added.

Yesterday, the company gave its strongest hint yet that it will release a patch for the IE flaw before Feb. 9, the next regularly-scheduled Patch Tuesday.

"We want to let customers know that we will release this security update [emphasis in original] as soon as the appropriate amount of testing has been completed," said Jerry Bryant, a security program manager, in a Monday post to the Microsoft Security Response Center (MSRC) blog.

That would be a good idea, said Dai Zovi. "IE7 is just as vulnerable as IE6 on XP and Vista," he said when asked what users should take away from the confusing discussion about the newest zero-day. "And although IE8 on XP SP3 presents another layer of difficulty [to attackers], DEP can be bypassed with known public techniques." That leaves IE8 on Vista SP1 and later, and IE8 on Windows 7, as the safest situations for IE users, Dai Zovi continued.

"But these mitigations, like DEP, are really weak," he said. "They're all or nothing. That's why the sandboxing of a browser like Chrome is a point that warrants being made again."

Two weeks ago, Dai Zovi argued that all browser makers should mimic Google's browser and its "sandboxing," the separation of application processes from other applications, the operating system and user data.

This IE vulnerability has gained more attention than most zero-day bugs because it has been linked to the attacks that broke into Google's corporate network. McAfee was the first to reveal that the attacks against Google had been conducted using exploits of the IE vulnerability. Google has claimed that the attacks originated in China.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies