UPDATE–Microsoft is looking into reports of targeted attacks against a new vulnerability that exists in all supported versions of Internet Explorer. The attacks are targeting IE 8 and 9 and there’s no patch for the vulnerability right now, though Microsoft has developed a FixIt tool for it.

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” the Microsoft advisory says.

The vulnerability is a use-after-free bug on the Microsoft HTML rendering engine in IE, and the company said that the exploit is has seen is done completely in Javascript.

“The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9,” Neil Sikka of Microsoft Engineering said. “The exploit was attacking a Use After Free vulnerability in IE’s HTML rendering engine (mshtml.dll) and was implemented entirely in Javascript (no dependencies on Java, Flash etc), but did depend on a Microsoft Office DLL which was not compiled with ASLR (Address Space Layout Randomization) enabled.

“The purpose of this DLL in the context of this exploit is to bypass ASLR by providing executable code at known addresses in memory, so that a hardcoded ROP (Return Oriented Programming) chain can be used to mark the pages containing shellcode (in the form of Javascript strings) as executable. This can be seen by the fact that ALL the gadgets used by the ROP chain were contained in hxds.dll.”

Microsoft did not specify where the attacks against this vulnerability were coming from or whether there are specific compromised Web sites involved. The company has several recommendations for mitigations for this vulnerability, including applying the FixIt solution and setting IE to warn you before running Active Scripting. The most likely attack scenarios for this vulnerability are the typical link in an email or drive-by download.

“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website,” Microsoft said.

Researchers at Qualys say that the attacks are happening in Japan right now, but could spread quickly now that some details of the vulnerability are public.

“The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much. While the attack is very targeted and geographically limited to Japan, it might not affect you at the moment. But with the publication of the shim, other attackers can now analyze the condition fixed and will be able to produce an equivalent exploit fairly quickly,” Wolfgang Kandek of Qualys said.

 This story was updated on Sept. 18 to add technical information on the exploit.


Categories: Web Security