Researchers reveal attack code for new IE zero-day
Microsoft investigates unpatched IE vulnerability, exploit that bypasses ASLR and DEP on Windows 7
Computerworld - Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.
Microsoft said it was looking into the vulnerability.
"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer," said Dave Forstrom, the director of Microsoft's Trustworthy Computing group, in statement. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine that could be exploited when the browser processed a CSS (Cascading Style Sheets) file that included "@import" rules. The @import rules let Web designers add external style sheets to an existing HTML document.
Vupen issued a bare-bones advisory on Dec. 9 that confirmed the vulnerability in IE8 running on Windows XP, Vista and Windows 7, and in IE6 and IE7 on XP. Attackers could trigger the bug from a rigged Web page, then hijack the PCs to plant malware or pillage its secrets.
Although Vupen crafted an exploit, it released the attack code only to its own customers for penetration testing purposes.
Others pushed the IE bug into public view Tuesday. Abysssec Security Research posted a short video demo of an attack in action, and security researcher Joshua Drake added a working exploit to the Metasploit penetration testing kit.
Drake credited a Chinese security blog for revealing the vulnerability last month.
Unlike some other recent IE bugs, this one can be exploited on the newest browser, IE8, running on Microsoft's newest OS, Windows 7, by defeating the latter's DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses.
According to HD Moore, the chief security at Rapid7 and the creator of Metasploit, Drake's code works reliably against IE8 on Windows 7, but is slightly less dependable when aimed at IE on Windows XP.
The exploit is notable for the way it circumvents DEP and ASLR, Moore said. It relies on a flaw in Windows that lets hackers force the operating system to load outdated .Net DLLs (dynamic-link libraries) that do not have ASLR enabled.
"The .Net [return-oriented programming] is what is used to bypass ASLR and DEP for this exploit," Moore said in an e-mail reply to questions. "It's a solid technique that will apply to future exploits unless Microsoft blocks loading of older .Net libraries."
The .Net-based attack strategy was first spelled out by a pair of McAfee researchers -- Xiao Chen and Jun Xie -- during a presentation at the XCon security conference in Beijing last August. Moore credited Xiao Chen with discovering the .Net technique.
Although Microsoft has put much stock in ASLR's and DEP's defenses, it has acknowledged that researchers are finding ways to bypass both by exploiting weaknesses in ASLR.
Microsoft's Forstrom did not set a patch date for the vulnerability, but said the company would take "appropriate action" once it had wrapped up its investigation.
The next regularly-scheduled Patch Tuesday is Jan. 11, but because Microsoft usually updates the browser every other month, and just did so last week, it's possible the vulnerability won't be addressed until February.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts