Friday, December 12, 2008

IE7 exploit is already in circulation

There’s a Zero-Day Exploit for Internet Explorer Out There

They are several reports of exploits circulating in the wild targeting a 0-day vulnerability in Microsoft Internet Explorer 7. These exploits are being used to install malware on Windows systems when unsuspecting users visit websites that have been compromised to host the exploit code.


This vulnerability was first made public in Chinese language discussion forums on or about December 7th, 2008 by a group calling itself the Knownsec team.

Microsoft Security Bulletin MS08-073 (Cumulative Security Update for Internet Explorer, KB958215) released on December 9th, 2008 as part of Microsoft's normally scheduled December security updates does not contain a fix for this vulnerability.

Initial reports by other security vendors mentioned a malformed XML tag as the possible cause of the vulnerability; however, from a deeper analysis it seems that the problem affects the XML parsing engine of IE7 and the library MSHTML.DLL. The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser. This means that attackers may start using different attack vectors in the future to exploit this vulnerability, but at the moment it seems that this recent exploit, which has been publicly released on several Chinese forums, only uses the XML elements and tags.

Because of the nature of this attack, it does not depend by any specific ActiveX control, so this time I can’t tell you to disable or set the KillBit for a specific CLSID. However, the attack still requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for un-trusted websites could help to somewhat mitigate the risk.

At the moment, Many attacks are traced back to Chinese domains and websites, which are used by the exploit to install and download additional malicious code components. The downloaded malicious code is a variety of Downloader, Infostealer, and W32.SillyDC variants. We also recommend blocking the following hosts at network boundaries:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
• oiuytr.net
• laoyang4.cn
• cc4y7.cn

My advice for Windows users is as follows:

• Update your AV and IPS software with the latest signatures
• Run Internet Explorer with limited privileges
• Enable DEP protection for browsers
• Disable JavaScript in Internet Explorer
• Avoid following links to un-trusted sites

No comments: