Yes, There’s a Zero-Day Exploit for Internet Explorer Out There

A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.

We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit, which seems to target Internet Explorer 7 on Windows XP and 2003 systems.

Initial reports by other security vendors mentioned a malformed XML tag as the possible cause of the vulnerability; however, from a deeper analysis it seems that the problem affects the XML parsing engine of IE7 and the library MSHTML.DLL. The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only XML, but also other objects handled by the browser. This means that attackers may start using different attack vectors in the future to exploit this vulnerability, but at the moment it seems that this recent exploit, which has been publicly released on several Chinese forums, only uses the XML elements and tags.

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0x0A0A” value in it. The image below shows an example of the execution crash in the MSHTML module; EAX is loaded with the value controlled by the attacker and is used later as a function pointer to control execution.

Because of the nature of this attack, it does not depend by any specific ActiveX control, so this time we can’t tell you to disable or set the KillBit for a specific CLSID. However, the attack still requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for un-trusted websites could help to somewhat mitigate the risk.

Our advice for Windows users is as follows:
•    Update your AV and IPS software with the latest signatures
•    Run Internet Explorer with limited privileges
•    Enable DEP protection for browsers
•    Disable JavaScript in Internet Explorer
•    Avoid following links to un-trusted sites

At the moment, we can trace many attacks back to Chinese domains and websites, which are used by the exploit to install and download additional malicious code components. The downloaded malicious code is a variety of Downloader, Infostealer, and W32.SillyDC variants. We also recommend blocking the following hosts at network boundaries:

•    wwwwyyyyy.cn
•    sllwrnm5.cn
•    baikec.cn
•    oiuytr.net
•    laoyang4.cn
•    cc4y7.cn

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

* Big thanks go out to Nishant A Doshi and Chintan Trivedi for their valuable help in the analysis of this vulnerability.