Wednesday, December 10, 2008

SANS ISC is reporting 0-day exploit for Internet Explorer in the wild

Just a heads up that SANS Internet Storm Center is reporting a 0-day exploit for Internet Explorer in the wild.

In these situations it is always wise to exercise caution when using IE until more details emerge.

My apologies if you have seen this already …



0-day exploit for Internet Explorer in the wild
Published: 2008-12-10,
Last Updated: 2008-12-10 09:38:03 UTC
by Bojan Zdrnja (Version: 1)

As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.

This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.

The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing:

The user has to be running Internet Explorer
The version of Internet Explorer has to be 7
The operating system has to be Windows XP or Windows 2003

If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.

We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary.


No comments: