Researchers reveal attack code for new IE zero-day

Microsoft investigates unpatched IE vulnerability, exploit that bypasses ASLR and DEP on Windows 7

Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.

Microsoft said it was looking into the vulnerability.

"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer," said Dave Forstrom, the director of Microsoft's Trustworthy Computing group, in statement. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine that could be exploited when the browser processed a CSS (Cascading Style Sheets) file that included "@import" rules. The @import rules let Web designers add external style sheets to an existing HTML document.

Vupen issued a bare-bones advisory on Dec. 9 that confirmed the vulnerability in IE8 running on Windows XP, Vista and Windows 7, and in IE6 and IE7 on XP. Attackers could trigger the bug from a rigged Web page, then hijack the PCs to plant malware or pillage its secrets.

Although Vupen crafted an exploit, it released the attack code only to its own customers for penetration testing purposes.

Others pushed the IE bug into public view Tuesday. Abysssec Security Research posted a short video demo of an attack in action, and security researcher Joshua Drake added a working exploit to the Metasploit penetration testing kit.

Drake credited a Chinese security blog for revealing the vulnerability last month.

Unlike some other recent IE bugs , this one can be exploited on the newest browser, IE8, running on Microsoft's newest OS, Windows 7, by defeating the latter's DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses.

According to HD Moore, the chief security at Rapid7 and the creator of Metasploit, Drake's code works reliably against IE8 on Windows 7, but is slightly less dependable when aimed at IE on Windows XP.

The exploit is notable for the way it circumvents DEP and ASLR, Moore said. It relies on a flaw in Windows that lets hackers force the operating system to load outdated .Net DLLs (dynamic-link libraries) that do not have ASLR enabled.

"The .Net [return-oriented programming] is what is used to bypass ASLR and DEP for this exploit," Moore said in an e-mail reply to questions. "It's a solid technique that will apply to future exploits unless Microsoft blocks loading of older .Net libraries."

The .Net-based attack strategy was first spelled out by a pair of McAfee researchers -- Xiao Chen and Jun Xie -- during a presentation at the XCon security conference in Beijing last August. Moore credited Xiao Chen with discovering the .Net technique.

Although Microsoft has put much stock in ASLR's and DEP's defenses, it has acknowledged that researchers are finding ways to bypass both by exploiting weaknesses in ASLR.

Microsoft's Forstrom did not set a patch date for the vulnerability, but said the company would take "appropriate action" once it had wrapped up its investigation.

The next regularly-scheduled Patch Tuesday is Jan. 11, but because Microsoft usually updates the browser every other month, and just did so last week, it's possible the vulnerability won't be addressed until February.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Copyright © 2010 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon