Share

Related Links

Top 5 Stories

News

Internet Explorer zero-day code goes public

18 January 2010

The Internet Explorer exploit code used in the Operation Aurora attack against Google and other technology companies has made it into the public domain, and has been incorporated into the Metasploit penetration testing tool, it was revealed this weekend.

A copy of the exploit, which targets an unpatched vulnerability in Internet Explorer, was uploaded to Wepawet, a service for detecting and analyzing web-based malware operated by the computer security group at the University of California, Santa Barbara.

"Since the code is now public, we ported it to a Metasploit module in order to provide a safe way to test or workarounds and mitigation efforts", said HD Moore, Metasploit's author, in a blog post.

The exploit works by using JavaScript to copy, release, and later reference a specific element in the Document Object Model (DOM). This action corrupts memory, and lets the attacker creates a reference to a random location of freed memory that could result in code execution.

Microsoft has published an analysis of the zero-day vulnerability, determining which versions are susceptible and on which platforms. Although the vulnerability exists in Internet Explorer 6, 7, and 8, the current exploit's ability to leverage the flaw is limited.

"The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6," said the company's researchers. Internet Explorer 7 is potentially exploitable if running on XP, Microsoft said, but the current exploit does not work due to memory layout differences in that version of the browser. In Windows Vista, Internet Explorer Protected Mode also prevents the current exploit from working. If the Data Execution Prevention (DEP) feature that shipped with XP SP 3 is enabled, Microsoft says that the exploit will not work.

"We recommend users of IE 6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP", Microsoft said in its analysis. "We also recommend users of Windows XP upgrade to newer versions of Windows." Other workarounds include disabling JavaScript, the company said.

Although the exploit's scope is limited, the German government has nevertheless recommended that its citizens stop using Internet Explorer and use alternative browsers until the issue is resolved. France also recently joined in, advising its citizens to abstain from using Microsoft's browser, too.

"The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," said George Kurtz, CTO of McAfee, of the attack. "The now public computer code may help cyber criminals craft attacks that use the vulnerability to compromise Windows systems."

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×