Video Screencast Help
Security Response

Rise of IE Zero-Day Through SQL Injection

Created: 15 Dec 2008 19:08:45 GMT • Updated: 23 Jan 2014 18:38:33 GMT
Peter Coogan's picture
0 0 Votes
Login to vote

Since our blog Yes, There’s a Zero-Day Exploit for Internet Explorer Out There was posted in relation to the now known Microsoft Security Advisory (961051) for IE, we have been closely monitoring the
uptake of this vulnerability. Symantec provides the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users againstthis exploit. To date, since the release of our antivirus signature for this vulnerability, we have observed over 33,000 hits on Symantec customers. Abreakdown of the top 10 countries or regions reporting detections can be seen below:

At present, Asia is clearly leading the way for potential infections through exploitation of this
vulnerability. This is not surprising because we have also observed SQL injection attacks that
specifically target Asian websites and use this Internet Explorer vulnerability. The following iframe examples below have been seen to be injected into over 100,000 compromised
websites, mainly South Korean in origin.

hxxp://s.a[removed]shanghai.com/s.js

hxxp://s.caw[removed].com/s.js

Once a compromised site containing one of these iframes is visited, the IE Exploit (961051) is one of several vulnerabilities run against the visiting computer user's system. Symantec currently has protection against the exploits served. If the system is exploited, it drops various malicious code onto the exploited system such as Downloader and Infostealer.Gamler. At present, Symantec has detection for this malicious code, but recommends that you keep your definitions up-to-date because the malicious code being served is changing on a regular basis.

Message Edited by Turlas on 12-16-2008 12:53 PM