Researchers reveal attack code for new IE zero-day
Microsoft investigates unpatched IE vulnerability, exploit that bypasses ASLR and DEP on Windows 7
Computerworld - Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.
Microsoft said it was looking into the vulnerability.
"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer," said Dave Forstrom, the director of Microsoft's Trustworthy Computing group, in statement. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine that could be exploited when the browser processed a CSS (Cascading Style Sheets) file that included "@import" rules. The @import rules let Web designers add external style sheets to an existing HTML document.
Vupen issued a bare-bones advisory on Dec. 9 that confirmed the vulnerability in IE8 running on Windows XP, Vista and Windows 7, and in IE6 and IE7 on XP. Attackers could trigger the bug from a rigged Web page, then hijack the PCs to plant malware or pillage its secrets.
Although Vupen crafted an exploit, it released the attack code only to its own customers for penetration testing purposes.
Others pushed the IE bug into public view Tuesday. Abysssec Security Research posted a short video demo of an attack in action, and security researcher Joshua Drake added a working exploit to the Metasploit penetration testing kit.
Drake credited a Chinese security blog for revealing the vulnerability last month.
Unlike some other recent IE bugs, this one can be exploited on the newest browser, IE8, running on Microsoft's newest OS, Windows 7, by defeating the latter's DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses.
According to HD Moore, the chief security at Rapid7 and the creator of Metasploit, Drake's code works reliably against IE8 on Windows 7, but is slightly less dependable when aimed at IE on Windows XP.
The exploit is notable for the way it circumvents DEP and ASLR, Moore said. It relies on a flaw in Windows that lets hackers force the operating system to load outdated .Net DLLs (dynamic-link libraries) that do not have ASLR enabled.
"The .Net [return-oriented programming] is what is used to bypass ASLR and DEP for this exploit," Moore said in an e-mail reply to questions. "It's a solid technique that will apply to future exploits unless Microsoft blocks loading of older .Net libraries."
The .Net-based attack strategy was first spelled out by a pair of McAfee researchers -- Xiao Chen and Jun Xie -- during a presentation at the XCon security conference in Beijing last August. Moore credited Xiao Chen with discovering the .Net technique.
Although Microsoft has put much stock in ASLR's and DEP's defenses, it has acknowledged that researchers are finding ways to bypass both by exploiting weaknesses in ASLR.
Microsoft's Forstrom did not set a patch date for the vulnerability, but said the company would take "appropriate action" once it had wrapped up its investigation.
The next regularly-scheduled Patch Tuesday is Jan. 11, but because Microsoft usually updates the browser every other month, and just did so last week, it's possible the vulnerability won't be addressed until February.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts