Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

New Internet Explorer Zero-Day Vulnerability Exploited in the Wild

Created: 17 Sep 2012 19:27:12 GMT • Updated: 23 Jan 2014 18:12:26 GMT • Translations available: 日本語
Branko Spasojevic's picture
+7 9 Votes
Login to vote

Contributor: Lionel Payet

Eric Romang has released a blog about the Microsoft Internet Explorer Image Arrays Remote Code Execution Vulnerability, a possible zero-day vulnerability in Internet Explorer that is being exploited in the wild. Microsoft has confirmed this vulnerability affects Internet Explorer 9, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6 browsers.

The exploit is made up of four main components:

  1. The Exploit.html file is the starting point responsible for setting up the exploit. After setting up necessary conditions for the vulnerability it will invoke the Moh2010.swf file.
  2. The Moh2010.swf Flash file is responsible for spraying the heap with the payload that will be executed. After setting up the payload it will invoke the vulnerability trigger Protect.html file by opening it in an IFRAME window.
  3. The Protect.html file is the actual trigger of the vulnerability responsible for executing the malicious payload set up by the Moh2010.swf file.
  4. The payload will download additional malicious executables and run them on the compromised system.

Interestingly, this exploit was hosted on the same servers used in the Nitro attack.

As always, we recommend that you follow best security practices and ensure you have the most up-to-date software patches installed. Use the latest Symantec technologies and virus definitions for the best protection against threats.