New IE Zero-Day Being Exploited In the Wild

wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."

I/E 9 at risk

[minstrelmike]

I'm shocked. Shocked I tell you.

Re:I/E 9 at risk

[localman57]

Also, I think they should modify all future browsers to use extra caution when opening a file called "exploit.html" . In retrospect, it seems so obvious...

Re:I/E 9 at risk

[JustOK]

FF 10^100 = google chrome

Re:I/E 9 at risk

[girlintraining]

I'm shocked. Shocked I tell you.

Almost every major browser in use has had a vulnerability. Those that haven't are vulnerable because of commonly-used plugins. It's not just IE9, it's browsers in general... it's the repeated and systemic perversion and added complexity of trying to turn the web into the end-all and be-all of the internet. When it was created, the uses for it were not as complicated as they are now.

It's the complexity of the web that is its vulnerability -- I honestly don't think there's a way to write a truly-secure web browser because everything from the protocols up have been shoehorned into things they were never designed to do. The entire thing needs to be jettisoned -- html, css, xml, http, ssl, everything. We need to start over from scratch, and build a new set of protocols and specifications, not just continually band-aid over existing ones. And this time, security needs to be a design consideration from the start, not evolved in.

Anyone with an understanding of information systems' security will tell you -- security needs to be built in from the start or it doesn't matter how much effort you put in later, you're going to be chasing down problems forever. Start with a secure and vetted design and it's a lot more likely to perform. Of course, real security would mean that governments, corporations, and other interested parties wouldn't be able to snoop on what you're doing -- anything sent in the clear can be screwed with. Oh... and it wouldn't be as convenient as it is today; You'd have to think about what you were doing, instead of blithering about and when you get "hacked" blaming everyone but yourself.

Real security would mean no more excuses... from anyone. That's why you won't exactly be seeing a parade down main street anytime soon congratulating people on making computers more secure; Responsibility? Not on MY internet!

Re:I/E 9 at risk

[amicusNYCL]

We should take a page from the book of the mod_security team and add "exploit.html" to our list of URL filters. Make sure your AV software is also set to block "virus.exe" from running.

The mod_security reference is about the fact that they block files called "shell.php" from running, as if blocking specific filenames equals security. We had a hard time figuring out why the servers were refusing to acknowledge the existence of the PHP scripts that were launching our courseware shells.

Re:I/E 9 at risk

[c0lo]

Also, I think they should modify all future browsers to use extra caution when opening a file called "exploit.html" . In retrospect, it seems so obvious...

No need... a properly configured firewall will do it before the browser gets the page

Re:I/E 9 at risk

[hairyfeet]

Yeah, I put this right beside those users that posted to tell me "Oh IE isn't fragmented, you just have to buy the latest OS to use it!" wow, really? No shit.

The sad part is I at this point really don't have much in the way of sympathy anymore for anyone using IE and getting boned. this is like a dog walking out in front of a car and getting hit again and again, sooner or later you just figure its Darwin's way of thinning the herd of the dumbasses in the breed.

The only nice thing I can say about IE is thanks to Steve "herpa derp" Ballmer cutting loose the IE team after IE 6 and just letting the damned thing rot we have more choices than ever so there really is no excuse. You've got Chrome and Chromium and Comodo Dragon in that line, Firefox and Kmeleon and Seamonkey and IceDragon in the Gecko line, then you have Safari and QTWeb and Opera.

Frankly we've got choice coming out of our asses folks, everyone can have the web THEIR way, so even though I like Dragon you might like Seamonkey or Opera and that's fine, you get the web YOUR way and I'll get my web my way.

But unless you are forced by a very stupid (or hamstringed by bad intranet apps) IT dept there really is no point running IE and as TFA demonstrates plenty of reasons not to. Its the #1 target by far because the malware writers know the truly clueless users, those that think that 30 day trial of Norton that expired 3 years ago equals having an antivirus and who will click on any damned thing, use IE because they don't know any better. For them IE users are easy pickings and again, Darwinism, they should have learned the first time they got burned.

This is why I no longer support IE in ANY way. Some customer tells me they have IE problems? i give them their choice of Dragon or IceDragon (Firefox spinoff) and THEN if they have a problem with it I'll help, but every. single. time. I've had a user tell me they have "A problem with Internet explorer" I open the thing up and its got more toolbars and other malware bullshit than you can even count, anybody stupid enough to use IE while the spyware and toolbars and other shit just keeps piling up deserves what they get.

Re:I/E 9 at risk

[mcgrew]

but every. single. time. I've had a user tell me they have "A problem with Internet explorer" I open the thing up and its got more toolbars and other malware bullshit than you can even count, anybody stupid enough to use IE while the spyware and toolbars and other shit just keeps piling up deserves what they get.

Heh, a friend told me the other day he broke his monitor with his mouse; his XP PC had slowed to a crawl after he let his daughter in law use it. I looked at it for him, it was full of useless crud like weatherbugs and toolbars, when I gave it back to him my advice was "never install anything produced by Yahoo, ever, and don't use IE." It seems he'd DLed FF from Yahoo, and it came preinstalled with crapware and must have had a half dozen useless and redundant toolbars. I uninstalled it and IE9 and reinstalled FF from mozilla.org.

But at least he had no viruses I could find, just useless TSRs eating his meager memory. Had he been using IE9... well, what other browser except IE has ever been vulnerable to drive-bys?

The second time anyone brings me a computer full of crapware, I install kubuntu on it, because it means they didn't listen when I warned them about dangers. That always solves the problem.

Re:I/E 9 at risk

[cbhacking]

Completely wrong, as it happens, although I'm honestly not sure how you could have gotten that idea. Drive-by exploits, in the sense of "you visit a website and are pwned", have existed for all major browsers.

Firefox: much like this IE9 bug; only requires you to execute some script
Chrome: buffer mismanagement in SPDY or bad casts in SVG
Safari: visit a website and automatically execute a shell script from it
Opera: buffer overflow using file download name in the prompt (can trigger automatically)

To be fair, most of these are pretty old; 2010 or sometimes before. I could have chosen a 2012 for Chrome, but chose to look explicitly at the browser, not at the Flash plugin (even though it's bundled with the browser and enabled by default...) Secunia's database also isn't comprehensive; for example, there were vulns found (by a white-hat, so patched before release and not included here) in Chrome earlier this year. That said, if you filter advisories to "extremely critical", IE has a much longer list than the other browsers (although part of that will just be market penetration making it the thing people have been targeting most). I also ignored browser version; that list for IE includes IE6 for example.

Day Zero

[puddingebola]

Been saing for years that if we'd just get rid of day zero on the calendar that so many security concerns could be solved, but instead we get yet another vulnerability. How did this happen on day 260?

Getting fed up

[gravyface]

of shoddy browser security. Could this not be "solved" with proper sandboxing? If there's legacy code to support (this has been cited many times in the past for reasons why), please, please fork IE into two branches: IE Classic or whatever that's fully backwards compatible, and an IE Lite that's completely sandboxed and locked down for wide-spread corporate deployment.

Re:Getting fed up

[pokoteng]

And it is that "legacy support" that is causing half the problems of Windows. It's never good to support legacy, at least, not without very careful consideration. Considering sandboxing though, it might just be alright to have all the legacy stuff in a VM-like environment entirely and have your host system be something a lot more stable. That just sounds like having linux host + windows guests though.

Re:Getting fed up

[Bengie]

All programs should be run as their own users

Network admins would love creating 30 user accounts for every person and every person would love remembering 30 accounts.

Re:Getting fed up

[Bozzio]

It's only a matter of tim.

Re:Question:

[thetoadwarrior]

Ie 9 isn't on XP.

exploit yes, virus no

[planckscale]

This exploit has been targeting chem and defense companies. The thing about these exploits is that they typically are just a method to drop the actual payload which is usually a virus or trojan. In this case it looks like the payload is Poison Ivy, which was added to NOD32 AV defs back in 2008. Yes, the attacker could compromise the machine and get admin shell, but the majority of the time they’re installing a keylogger or other virus which NOD32 will catch.

From TFA:

First, a file named “exploit.html” appears to be the entry point of the attack, which loads “Moh2010.swf”, an encrypted Flash file that it decompress in memory.

According to AlienVault's Jaime Blasco, the payload dropped is Poison Ivy, as was the case with the previous Java zero-day. Poison Ivy is a remote administration tool (RAT) that was used the Nitro attacks that targeted chemical and defense companies. Interestingly, after exploitation, the attack loads “Protect.html”, a file that checks to see if the Web site is listed in the Flash Storage settings, and if it is, the Web browser will no longer be exploited despite additional visits to the malicious site.

Re:It's not aZero Day

[M0j0_j0j0]

and probably Vupen already sold it 10 months ago to , Ebay style.

Well, you can mitigate the damage

[davidwr]

Running web browsers in a well-written sandbox with only very careful access to "the outside machine" will help keep browser bugs from turning into system-wide vulnerabilities.

Sure, someone may take over your browser and turn it into DNS-generation-engine, but once you quit your browser, anything left over will require a social-engineering attack ("download catpics.exe and after you quit your browser, run it!") to continue living.

While no sandbox is perfect, there is (hopefully) a smaller and better-engineered code base to maintain.

Does this include IE9-64?

[fast+turtle]

Yes I RTFA and didn't see any information on whether IE9-64 is affected. Pretty lousy of the tester to not bother indicating if the problem is only with the 32bit version as the 64bit has a better baseline security configuration. Due to these issues, it's just one of the reasons I also use Palemoon64. Improved security such as full ASLR along with DEP support so I'm hopefull this does not affect IE9-64 due to the limited number of folks actually using it.

Re:Does this include IE9-64?

[WD]

Yes, IE9-64 is affected by the vulnerability. Whether exploits in the wild will succeed against it is another question...

Internet Explorer is still a thing?

[Trogre]

Isn't IE that tool people use to download Firefox?

DNH: 1

[seandiggity]

But I thought they turned on that "Do Not Hack" HTTP header??

UAC is pointless

[GoogleShill]

This exploit gains the privileges of the running user on Windows Vista and 7. The entire point of all the "allow/deny" popup BS with UAC was because they wanted to restrict processes to the lowest privilege necessary. IE is supposed to be a high-risk, sandboxed application and yet this exploit magically gets around it and gains access to the full user's account, which probably has admin rights on the machine. MS does not understand security. You don't start out by giving a user admin rights, you make them ask for it, a la 'sudo'. UAC starts out by keeping the user an administrator, and dropping the rights for new processes and trying to intercept when those processes need higher access so that the OS can display a verification prompt. Since Vista, this has been exploited over and over again. The only way to be safe under windows is to always use a low-priv account, and type in the full username/password of an administrator whenever the UAC prompt comes up, and that is a terrible user experience.

Re:Question:

[rgbrenner]

do you think the "and earlier" versions that are also vulnerable might be on XP?

Re:I should be safe!

[w3c.org]

windows key + r cmd ftp ftp.mozilla.org cd /pub/mozilla.org/firefox/releases/latest/win32/en-US/ get "Firefox Setup 15.0.1.exe"

Re:You should be safe

[jafiwam]

Not really.

Compromised ad servers seem to happen often enough still. People have in not so recent past gotten infected from not so dangerous sites such as CNN.com.

Some sites are such morasses of server calls to other places all jumbled in one page it defies description. True, someone visiting the same four sites is going to be OK, but someone visiting Facebook (as an example) may very well be exposed.

Re:You Miss The Issue

[cbhacking]

Managed / memory-safe languages aren't a guaranteed protection, though.

First of all, there can be bugs in the runtime that lead to possible exploits. I have a friend who manages to generate segfaults in Java about once every two weeks (no idea how many of them are the same bug being hit multiple times; maybe all of them). In case you're confused, a segfault (as opposed to a NullPointerException) means the runtime thought it could access the memory there, after running all its checks... and found out otherwise when it tried and the CPU had to slap it down. The eqivalent term for segfault on Windows would be "access violation" and in both uses, it boils down to a security bug , potentially exploitable by triggering memory corruption. For that matter, JavaScript itself should be memory-safe.

Which brings us to the second issue: when you're trying to JIT-compile a script, the actual processing of the script is done in the compiler. You could write all of that in the safest language in the world... and it wouldn't do you any good if there's a bug in the compiler's code generation (note: not in the parsing of the script) that causes the resulting code, when executed, to be memory-unsafe. It's much, much harder to verify the safety of generated code (for a reasonably complex language; JS certainly being one) than it is to verify the safety of the code generator itself (even if written in C++).