Internet Explorer zero-day code goes public

A copy of the exploit, which targets an unpatched vulnerability in Internet Explorer, was uploaded to Wepawet, a service for detecting and analyzing web-based malware operated by the computer security group at the University of California, Santa Barbara.

"Since the code is now public, we ported it to a Metasploit module in order to provide a safe way to test or workarounds and mitigation efforts", said HD Moore, Metasploit's author, in a blog post.

The exploit works by using JavaScript to copy, release, and later reference a specific element in the Document Object Model (DOM). This action corrupts memory, and lets the attacker creates a reference to a random location of freed memory that could result in code execution.

Microsoft has published an analysis of the zero-day vulnerability, determining which versions are susceptible and on which platforms. Although the vulnerability exists in Internet Explorer 6, 7, and 8, the current exploit's ability to leverage the flaw is limited.

"The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6," said the company's researchers. Internet Explorer 7 is potentially exploitable if running on XP, Microsoft said, but the current exploit does not work due to memory layout differences in that version of the browser. In Windows Vista, Internet Explorer Protected Mode also prevents the current exploit from working. If the Data Execution Prevention (DEP) feature that shipped with XP SP 3 is enabled, Microsoft says that the exploit will not work.

"We recommend users of IE 6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP", Microsoft said in its analysis. "We also recommend users of Windows XP upgrade to newer versions of Windows." Other workarounds include disabling JavaScript, the company said.

Although the exploit's scope is limited, the German government has nevertheless recommended that its citizens stop using Internet Explorer and use alternative browsers until the issue is resolved. France also recently joined in, advising its citizens to abstain from using Microsoft's browser, too.

"The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," said George Kurtz, CTO of McAfee, of the attack. "The now public computer code may help cyber criminals craft attacks that use the vulnerability to compromise Windows systems."

What’s hot on Infosecurity Magazine?