Industry News

Attackers Feast on 0-day Exploit for IE 7, 8 and 9 On Windows XP, Vista, and 7

A new 0-day exploit enabling remote code execution in Internet Explorer 7, 8, and 9 on Windows XP, Vista and Windows 7 could let attackers execute malicious code in the context of the current user. Attackers could craft websites that take advantage of a vulnerability in the way Internet Explorer accesses objects that have been deleted or improperly allocated.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” says the Microsoft Security Advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The Java exploit that plagued Firefox a couple of weeks back seems related to the newly discovered IE exploit. Shortly after the news broke, Oracle released a patch plugging the breach, only to have a new one emerge for Internet Explorer 7, 8 and 9.

Although Microsoft warns that Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 should not be affected because IE runs in enhanced security configuration mode, XP, Vista and 7 are vulnerable. With 41% of North Americans and 32% of worldwide internet users relying on Internet Explorer, the 0-day exploit could affect millions.

An iframe that uses the Internet Explorer vulnerability to run the shellcode in the system memory could be dropped by any website rigged for this specific purpose. Users are asked to switch to a different browser for now, until a patch is distributed by Microsoft.

“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” says Microsoft. “In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”

The main vector for spreading links towards compromised websites could be spam aimed at convincing users to visit the websites. By the time the bug is fixed, the Metasploit team will have already stitched together a working exploit for enthusiasts to fiddle around with.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

2 Comments

Click here to post a comment