The unpatched vulnerability in Internet Explorer’s MSXML component that Microsoft warned users about earlier this month is being used in attacks that employ malicious Flash files. Researchers say that the attacks are taking the form of drive-by downloads launched from compromised legitimate sites.
The attack scenario that’s being used is a familiar one. When users visit a legitimate site that’s been compromised, the malicious code injected onto the site exploits the CVE-2012-1889 vulnerability in Internet Explorer to install malware on the victim’s machine. It’s the classic drive-by download technique and it has proven to be effective for years, and it’s even more effective when there’s an unpatched flaw such as this available for use.
“Just like the exploit code used against CVE-2012-1875, this exploit also uses an embedded SWF (Flash) file. The SWF file is responsible for performing the heap spray and setting up the shellcode,” Karthikeyan Kasiviswanathan of Symantec wrote in an analysis of the attacks.
When Microsoft first warned users about the vulnerability last week, officials said that the bug already was being used in attacks in the wild. Google researchers, who originally found the vulnerability and disclosed it to Microsoft, said that they had seen attacks against the vulnerability that were using malicious Office documents to carry the payload.
The newer series of attacks is instead using the ever-popular malicious Flash file as a delivery mechanism for the attacker’s shellcode.
“The exploit also supports multiple versions of Windows and languages. The heap spray and shellcode are customized depending on the combination of the Windows version and languages,” Kasiviswanathan said. “When the vulnerability is triggered, the execution is transferred to the shellcode. The shellcode is designed to download an encrypted payload from a URL and save it to the Temporary Internet Files folder.”
If you’re running Internet Explorer, you should use the Microsoft FixIt tool for the vulnerability, which is a stop-gap until Microsoft has a full patch available.