New Remotely Exploitable Bug Found in Internet Explorer

Another serious remotely exploitable bug in Internet Explorer has cropped up, this one related to the way that IE handles a specific DLL library on pages that reference CSS files. There also is publicly available exploit code for the new bug.

 IE bugAnother serious remotely exploitable bug in Internet Explorer has cropped up, this one related to the way that IE handles a specific DLL library on pages that reference CSS files. There also is publicly available exploit code for the new bug.

The vulnerability was disclosed initially on the Full Disclosure mailing list on Wednesday when someone posted exploit code for the IE bug. The flaw affects IE 8, IE 7 and IE 6 running on most of the currently supported versions of Windows, including Windows 7, Windows Vista and Windows XP SP3.

“A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the ‘mshtml.dll’ library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various ‘@import’ rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page,” an analysis of the bug by Vupen says. “VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.”

There is no patch available for the vulnerability right now. Microsoft is fixing a separate remotely exploitable Internet Explorer bug in next week’s monthly Patch Tuesday update.

“Over the past month, Microsoft and our MAPP
partners actively monitored the threat landscape surrounding this vulnerability
and the total number of exploit attempts we monitored remained pretty low.
Furthermore, customers running Internet Explorer 8 remained protected by
default due to the extra protection provided by Data Execution Prevention
(DEP),” Microsoft’s Mike Reavey said in a blog post about the December patch release.

That IE bug first came to light in early November and attackers have been using it in targeted attacks since then. Microsoft officials said that the attacks have been less successful than they might have thought, perhaps because the combination of DEP and ASLR on IE 8 on newer versions of Windows is mitigating the effects of the attacks.

“The attack patterns for this vulnerability have been somewhat unusual. The Friday after we began our tracking effort,
we saw our first spike in activity, predominantly targeting users in
Korea, and secondarily attempting to exploit users in China. Although
attacks in China trended down over subsequent weeks, we continued to see
weekend-related spikes in Korea.  However, after the second weekend
spike, even these attack attempts continued to trend down, revealing a
smaller number of attack attempts each coming weekend,” Holly Stewart of the Microsoft Malware Protection Center said in a blog post. “Over the past few days, attack attempts in China have been on the rise,
again, the downward trend that occurred during the first month is
unusual for an 0-day vulnerability such as this one. One explanation
might be that the attackers did not achieve the success rate that they
had hoped.”

Suggested articles

Discussion

  • Anonymous on

    Have you actually confirmed Vupen's claims of code execution in the new CSS import 0day?  From everything else I've seen, it's a DoS only.  Vupen is the only one claiming RCE.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.