14 DAY TRIAL // Internet Explorer 8 is still far from Release Candidate stage, let alone RTW, and the browser is hit with the first attacks targeting a Critical 0Day (zero day) vulnerability, with all variants at risk, including those running on Windows Vista SP1 and Windows XP SP3. The security hole can be exploited when users navigate to a maliciously crafted website. Microsoft confirmed that the previously unpatched security flaw was affecting all supported releases of Internet Explorer, from IE8 beta 2, to IE7, IE6, and IE5. Moreover, the company has already detected attacks in the wild built, with exploits targeting the IE Critical 0Day.
The KownSec team, which discovered the vulnerability and subsequently managed to mistakenly leak the details, also pointed out that IE8, IE7, IE6, and IE5 on Windows Vista, Windows XP,Windows Server 2003 contained the vulnerability and were susceptible to attacks. According to Microsoft, all supported versions of IE running on all supported releases of Windows were at risk. The Redmond company did not comment on whether IE8 Beta running on Windows 7 was also wide-open to attacks, but chances were that not even IE8 on the next iteration of the Windows platform would be an exception to this rule.
Christopher Budd, security program manager Microsoft Security Response Center, provided an update on the situation on December 11, indicating that attacks were limited only to Internet Explorer 7. However, Budd warned that all versions of Internet Explorer were vulnerable to exploits. The software giant mentioned that the severity of the vulnerability was mitigated on Windows Vista for copies of IE7 and IE8 that were running in Protected Mode. The same was valid for IE on Windows Server 2003 and Windows Server 2008 under the Enhanced Security Configuration.
“The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable,” Microsoft stated.
“Initial reports by other security vendors mentioned a malformed XML tag as the possible cause of the vulnerability; however, from a deeper analysis it seems that the problem affects the XML parsing engine of IE7 and the library MSHTML.DLL. The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser. This means that attackers may start using different attack vectors in the future to exploit this vulnerability, but at the moment it seems that this recent exploit, which has been publicly released on several Chinese forums, only uses the XML elements and tags,” Symantec Security Researcher Elia Florio explained.
Security companies Sophos and McAfee have also confirmed the detection of attacks in the wild targeting the new vulnerability. However, of course so has Microsoft. It is important to note that the Redmond company has yet to release a patch for the IE XML parsing vulnerability. There are, nevertheless, a number of mitigations that users can take in order to protect themselves against the zero day including to disable “Data Binding support in Internet Explorer 8; unregister OLEDB32.DLL; use ACL to disable OLEDB32.DLL; enable DEP for Internet Explorer 7; configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone; set Internet and Local intranet security zone settings to 'High' to prompt before running ActiveX Controls and Active Scripting in these zones,” Microsoft revealed. (more details here)
“We've added three definitions: Exploit:JS/Mult.AE, Exploit:JS/Mult.AF, Exploit:JS/Mult.AG, and Exploit:JS/Mult.AI to detect HTML pages that include exploits such as the ones we've observed so far. We've seen several hundred detections from countries around the world, so please be sure to update your definitions as soon as possible,” Microsoft's Tareq Saade & Ziv Mador stated. “The exploit sites we've seen so far drop a wide variety of malware-- most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack.”