Feeds

Exploit code for potent IE zero-day bug goes wild

'Fairly reliable'

Website security in corporate America

Updated Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow.

Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully compromise computers running earlier versions of the browser. The attacks target a previously unknown invalid pointer reference bug in IE that attackers used to penetrate the defenses of Google and dozens of other companies.

The exploits come as the German Federal Office for Information Security said IE users should switch to an alternative browser until a patch for IE has been made available.

The exploit in Canvas was "fairly reliable" at remotely executing code in tests of IE versions 6 and 7 running on Windows XP SP3, Immunity researcher Kostya Kortchinsky wrote in an email. "It crashed IE 8 and will require a bit more work to get something out of it," he added.

The exploit folded into Metasploit was tested on IE 6 running on the same Windows platform, the framework's chief maintainer, H D Moore, wrote in a blog post.

While the flaw affects all versions of IE except for 5.01 SP 4, security protections built in to more recent versions of the browser and operating system can significantly mitigate the threat. DEP, short for data execution prevention, is enabled by default in IE 8 but must be manually turned on in prior versions. Users of Vista and later versions of Windows should run IE in protected mode, an additional feature that also provides important protection.

We've said it before, and given the particulars of this vulnerability, we'll say it again: security measures like DEP and ASLR, or address space layout randomization, matter. As ugly as this vulnerability is - to say nothing of its ability to remain undetected for nine years - the fact that Windows 7 and IE 8 were able to withstand the "highly sophisticated" attacks that felled Google is testament that Microsoft is making significant progress.

Shortly after this article was first published, Microsoft issued a statement that largely repeated the same mitigation details. But it also said researchers continue to see only "limited targeted attacks affecting Internet Explorer 6." It went on to "encourage" users of IE 6 and 7 to upgrade to the latest version "to benefit from the improved security features and defense in depth protections offered such as data execution prevention and smartscreen."

The advice is sound. If it's at all possible, upgrade to IE 8 now. The computer you save may be your own.

Microsoft hasn't said when it expects to fix the bug. Its next regular update release is scheduled for February 9. Speculation is growing that the company will issue an out-of-band patch.

Moore said the Metasploit maintainers got their hands on the exploit after it was uploaded to Wepawet. Kortchinsky said Immunity researchers believe their exploit is the same one but can't be sure. Anti-virus provider McAfee, which first discovered the exploitation of the zero-day flaw, said here that the public exploits use the same code it has observed.

So far, exploitation of the IE bug has been seen only in highly targeted attacks that hit Google and at least some of the other 33 large companies that experienced similar assaults. With the public release of exploit code, the likelihood of much broader scams targeting the vulnerability are much greater. ®

This article was updated to add reporting and commentary.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.