There’s a new zero-day vulnerability in many of the current versions of Internet Explorer and is being used in active attacks right now. The exploit that’s in use has the ability to bypass both DEP and ASLR and researchers say it’s being used by a known APT group.

Microsoft has issued an advisory about the CVE-2014-1776 IE vulnerability, and said it is aware of some targeted attacks using the exploit. The flaw is a use-after-free vulnerability in the browser, and Microsoft officials said it could be used in drive-by download attacks among other scenarios.

Among the vulnerable versions of IE are several that can run on Windows XP, which is no longer supported by Microsoft.

Though the bug affects the versions of IE running on Windows XP, the exploit that’s being used currently only targets newer versions of the browser, specifically IE 9 through 11. However, there is always the possibility that another exploit will emerge in the days and weeks ahead.

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” the Microsoft advisory says.

The bug affects IE 6 through IE 11 running on several current versions of Windows, including Vista, Windows 7 and Windows 8 and 8.1. Researchers at FireEye said that the exploit being used in target attacks at this point uses the vulnerability, along with a known Flash exploitation technique. The exploit targets IE 9 through IE 11.

“The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain,” the FireEye analysis of the exploit says.

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

There are some mitigations that can affect the usefulness of the exploit. Microsoft officials said that deploying the EMET 4.1 toolkit will mitigate the exploit and FireEye researchers said that disabling the Flash plugin in IE also will break the exploit that’s in the wild.

Categories: Vulnerabilities, Web Security

Comments (5)

  1. Richard G

    Maybe Micro-junk should turf IE like they should have years ago, and let some real programmers deal with browsers like chrome or torch or firefox.

  2. Observer

    Now that Windows XP is no longer being supported, you will get hundreds of ads while surving to get rid of Internet Explorer. It is all an attempt to destroy Internet Explorer. If you are having probloems with ID, just remove it from your computer and then download it again and it willo work fine.

    Some of these companies will do anything to scare you to death. If you like IE, continue to use it and don’t fall for the new versions; you don/t need them. The messages that IE is outdated, etc., are just scame!!!!!!!!!!!

  3. Deer

    Okay then IE users, if you are unable to switch to another browser, turn on ActiveX Filtering. This will disable Flash for all websites except for the ones which you don’t want to. Go to Settings -> Safety -> ActiveX Filtering. You’ll know if it’s blocking something when you see a circle-slash in IE’s address bar. To disable Filtering on a specific webpage, click on the circle-slash and select Turn Off ActiveX filtering. Note: This only works for IE9 and above.

Comments are closed.