Researchers up ante, create exploits for IE7, IE8
IE6 isn't the only version vulnerable; Microsoft's mitigations 'weak,' argues expert
Computerworld - Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's recommended defensive measure is turned on.
Microsoft, however, continues to urge users to upgrade from the eight-year-old IE6 -- the only version yet successfully attacked in the wild -- to the newer IE7 or IE8.
On Sunday, Dino Dai Zovi, a security vulnerability researcher and co-author of The Mac Hacker's Handbook, crafted attack code that exploits the unpatched vulnerability in IE7 when it's running on either Windows XP or Windows Vista.
"And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in," said Dai Zovi on Twitter.
"My version [of the exploit] implements a different heap manipulation algorithm," said Dai Zovi in a telephone interview today. "It works on IE7 on XP and Vista because the browser doesn't opt in on DEP [data execution prevention]."
In fact, said Dai Zovi, even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007. "IE still does not opt in on DEP for those" operating system editions, Dai Zovi noted.
Users can manually switch on DEP -- a move that Microsoft recommended in the security advisory it issued last week -- but without that tweak, most Windows users are open to attack, if not by the original exploit then by follow-ups like Dai Zovi's.
In fact, even DEP can be circumvented, a point the French firm Vupen Security made today. "While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."
Although Vupen has created an exploit that works on IE8 with DEP enabled, it's not releasing the attack code to the public; instead, it will offer the exploit only to legitimate security vendors for penetration testing purposes.
There are other ways to do an end-around DEP, said Dai Zovi. "There have been techniques to totally bypass DEP in the public for almost two years now," he said, adding that he plans to discuss his own circumvention method during a presentation at the RSA Conference in early March.
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!