Related Links

Related Stories

Top 5 Stories


Microsoft admits limited attacks against IE zero-day vulnerability

04 November 2010

Microsoft said there have been “limited attacks” exploiting a zero-day vulnerability in the Internet Explorer (IE) 6 through 8 browsers; the beta version of IE9 is not affected.

In a blog, Microsoft researchers said the attacks have been limited to IE6 and 7 on Window XP, and that IE version 8 users are at “reduced risk” because the Data Execution Prevention (DEP) tool, which blocks the attacks, is enabled by default on IE8.

“The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution”, Microsoft explained in a security advisory.

Microsoft researchers explained the vulnerability in more detail: “Internet Explorer incorrectly under-allocates memory to store a certain combination of Cascading Style Sheets (CSS) tags when parsing HTML. This could result in an overwrite of the least significant byte of a vtable pointer. An attacker able to spray memory with a specific pattern could potentially execute code in the context of the process parsing the HTML. The defense against heap spray style attacks is Data Execution Prevention (DEP).”

The company said it anticipates hackers will have a difficult time bypassing DEP. “The current techniques for bypassing DEP cannot be directly applied because the memory corruption is a partial vtable pointer overwrite. We anticipate that any exploit that attempts to bypass DEP will be unreliable (i.e., causing IE to crash), expecially on systems that support Address Space Layout Randomization (ASLR)."

In addition to ensuring DEP is enabled, Microsoft recommends that users “override the CSS supplied by the website using a user-defined .CSS file for a smaller subset of the CSS language”. Doing this will prevent IE from going down the vulnerable code path. In addition, the company recommends enabling Protected Mode in IE on Windows Vista and later operating systems, which limits the impact of the vulnverabiltiuy.

Also, Microsoft suggests installing its Enhanced Mitigation Experience Toolkit, which, among other things, enables DEP.

Microsoft said it is working with partners in its Microsoft Active Protections Program and Microsoft Security Response Alliance to supply information to customers to provide broader protection and to monitor attempts to exploit the vulnerability.

The vulnerability does not require an emergency patch, Jerry Bryant, group manager of response communication, said in a Microsoft Security Response Center (MSRC) blog post. “However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates on the MSRC blog”, he said.

This article is featured in:
Application Security  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×