In a blog, Microsoft researchers said the attacks have been limited to IE6 and 7 on Window XP, and that IE version 8 users are at “reduced risk” because the Data Execution Prevention (DEP) tool, which blocks the attacks, is enabled by default on IE8.
“The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution”, Microsoft explained in a security advisory.
Microsoft researchers explained the vulnerability in more detail: “Internet Explorer incorrectly under-allocates memory to store a certain combination of Cascading Style Sheets (CSS) tags when parsing HTML. This could result in an overwrite of the least significant byte of a vtable pointer. An attacker able to spray memory with a specific pattern could potentially execute code in the context of the process parsing the HTML. The defense against heap spray style attacks is Data Execution Prevention (DEP).”
The company said it anticipates hackers will have a difficult time bypassing DEP. “The current techniques for bypassing DEP cannot be directly applied because the memory corruption is a partial vtable pointer overwrite. We anticipate that any exploit that attempts to bypass DEP will be unreliable (i.e., causing IE to crash), expecially on systems that support Address Space Layout Randomization (ASLR)."
In addition to ensuring DEP is enabled, Microsoft recommends that users “override the CSS supplied by the website using a user-defined .CSS file for a smaller subset of the CSS language”. Doing this will prevent IE from going down the vulnerable code path. In addition, the company recommends enabling Protected Mode in IE on Windows Vista and later operating systems, which limits the impact of the vulnverabiltiuy.
Also, Microsoft suggests installing its Enhanced Mitigation Experience Toolkit, which, among other things, enables DEP.
Microsoft said it is working with partners in its Microsoft Active Protections Program and Microsoft Security Response Alliance to supply information to customers to provide broader protection and to monitor attempts to exploit the vulnerability.
The vulnerability does not require an emergency patch, Jerry Bryant, group manager of response communication, said in a Microsoft Security Response Center (MSRC) blog post. “However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates on the MSRC blog”, he said.