There’s a new zero-day vulnerability in many of the current versions of Internet Explorer and is being used in active attacks right now. The exploit that’s in use has the ability to bypass both DEP and ASLR and researchers say it’s being used by a known APT group.
Microsoft has issued an advisory about the CVE-2014-1776 IE vulnerability, and said it is aware of some targeted attacks using the exploit. The flaw is a use-after-free vulnerability in the browser, and Microsoft officials said it could be used in drive-by download attacks among other scenarios.
Though the bug affects the versions of IE running on Windows XP, the exploit that’s being used currently only targets newer versions of the browser, specifically IE 9 through 11. However, there is always the possibility that another exploit will emerge in the days and weeks ahead.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” the Microsoft advisory says.
The bug affects IE 6 through IE 11 running on several current versions of Windows, including Vista, Windows 7 and Windows 8 and 8.1. Researchers at FireEye said that the exploit being used in target attacks at this point uses the vulnerability, along with a known Flash exploitation technique. The exploit targets IE 9 through IE 11.
“The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain,” the FireEye analysis of the exploit says.
“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”
There are some mitigations that can affect the usefulness of the exploit. Microsoft officials said that deploying the EMET 4.1 toolkit will mitigate the exploit and FireEye researchers said that disabling the Flash plugin in IE also will break the exploit that’s in the wild.