Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: 0-day exploit for Internet Explorer in the wild - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
0-day exploit for Internet Explorer in the wild

As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.

This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.

The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing:

  • The user has to be running Internet Explorer
  • The version of Internet Explorer has to be 7
  • The operating system has to be Windows XP or Windows 2003



If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.

We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary.

--
Bojan

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Prague August 2019

Bojan

380 Posts
ISC Handler
Just a little reminder to those that use IE7 daily; please remember to upgrade / patch your \"backup browser\" before you start using it! ;)
dotBATman

63 Posts
For those of you that use Websense at the enterprise level, I suggest adding the list of domains and harness it to protect your network.
DemiGuru

5 Posts

Sign Up for Free or Log In to start participating in the conversation!