New IE Zero-Day Being Exploited In the Wild

← Back to Stories (view on slashdot.org)

New IE Zero-Day Being Exploited In the Wild

Posted by Unknown on Monday September 17, 2012 @10:25AM from the die-ie-die dept.

wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."

3 of 134 comments (clear)

Min score:

Reason:

Sort:

Re:Question: by thetoadwarrior · 2012-09-17 10:58 · Score: 5, Informative

Ie 9 isn't on XP.
exploit yes, virus no by planckscale · 2012-09-17 10:58 · Score: 5, Informative

This exploit has been targeting chem and defense companies. The thing about these exploits is that they typically are just a method to drop the actual payload which is usually a virus or trojan. In this case it looks like the payload is Poison Ivy, which was added to NOD32 AV defs back in 2008. Yes, the attacker could compromise the machine and get admin shell, but the majority of the time they’re installing a keylogger or other virus which NOD32 will catch.
From TFA:
First, a file named “exploit.html” appears to be the entry point of the attack, which loads “Moh2010.swf”, an encrypted Flash file that it decompress in memory.
According to AlienVault's Jaime Blasco, the payload dropped is Poison Ivy, as was the case with the previous Java zero-day. Poison Ivy is a remote administration tool (RAT) that was used the Nitro attacks that targeted chemical and defense companies. Interestingly, after exploitation, the attack loads “Protect.html”, a file that checks to see if the Web site is listed in the Flash Storage settings, and if it is, the Web browser will no longer be exploited despite additional visits to the malicious site.

--
Namaste
Re:Does this include IE9-64? by WD · 2012-09-17 12:05 · Score: 4, Informative

Yes, IE9-64 is affected by the vulnerability. Whether exploits in the wild will succeed against it is another question...