Researchers up ante, create exploits for IE7, IE8
IE6 isn't the only version vulnerable; Microsoft's mitigations 'weak,' argues expert
Computerworld - Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's recommended defensive measure is turned on.
Microsoft, however, continues to urge users to upgrade from the eight-year-old IE6 -- the only version yet successfully attacked in the wild -- to the newer IE7 or IE8.
On Sunday, Dino Dai Zovi, a security vulnerability researcher and co-author of The Mac Hacker's Handbook, crafted attack code that exploits the unpatched vulnerability in IE7 when it's running on either Windows XP or Windows Vista.
"And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in," said Dai Zovi on Twitter.
"My version [of the exploit] implements a different heap manipulation algorithm," said Dai Zovi in a telephone interview today. "It works on IE7 on XP and Vista because the browser doesn't opt in on DEP [data execution prevention]."
In fact, said Dai Zovi, even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007. "IE still does not opt in on DEP for those" operating system editions, Dai Zovi noted.
Users can manually switch on DEP -- a move that Microsoft recommended in the security advisory it issued last week -- but without that tweak, most Windows users are open to attack, if not by the original exploit then by follow-ups like Dai Zovi's.
In fact, even DEP can be circumvented, a point the French firm Vupen Security made today. "While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."
Although Vupen has created an exploit that works on IE8 with DEP enabled, it's not releasing the attack code to the public; instead, it will offer the exploit only to legitimate security vendors for penetration testing purposes.
There are other ways to do an end-around DEP, said Dai Zovi. "There have been techniques to totally bypass DEP in the public for almost two years now," he said, adding that he plans to discuss his own circumvention method during a presentation at the RSA Conference in early March.
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts