Get the ECT News Network Editor's Pick Newsletter » Subscribe Today
Welcome Guest | Sign In

Hackers Having Field Day With IE Zero Day Attacks

By Erika Morphy
Dec 12, 2008 2:56 PM PT

Microsoft and the Internet security community are trying to get a handle on a vulnerability that exposes Internet Explorer to the threat of zero day attacks. When the problem was first discovered -- only a few days after December's Patch Tuesday -- there was confusion about how the exploit worked, as well as which versions of IE were impacted.

Hackers Having Field Day With IE Zero Day Attacks

Microsoft's investigation so far has revealed attacks on the following IE versions:

Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

In addition, these IE versions are potentially vulnerable: Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows.

Crash and Burn

The vulnerability is an invalid pointer reference in the data binding function of Internet Explorer. In its default state -- when data binding is enabled, that is -- certain conditions allow the release of an object without updating the array length, which makes it possible to access the deleted object's memory space.

This can cause Internet Explorer to exit unexpectedly in a state that is exploitable.

In other words, someone could attack IE 7 by filling the process stack with a tremendous amount of memory, explained Jeff Debrosse, research director at ESET.

When IE subsequently crashes, it's left in a state that makes it vulnerable to a remote exploit, he told TechNewsWorld.

Hackers would then be able to inject a wide variety of malware -- for example, keyloggers or hijackers -- into a system.

Incorrect handling of certain XML tags appears to be the trigger, said Dave Marcus, director of security, research and communications for McAfee Avert Labs.

"That is all we have been able to verify at this point -- it is what we have seen working in the field," he told TechNewsWorld.

The combo of the bug and a certain way of viewing XML appears to be how this vulnerability works, Debrosse agreed.

Threat Level

By setting the exploit loose just days after Microsoft released its Patch Tuesday fixes, the hackers gave themselves time to wreak maximum damage. The zero-day nature of the exploit, it hardly needs to be said, makes it very bad.

"Any time you have an unpatched vulnerability that is publicly disclosed, along with a working exploit code, that is very dangerous, Marcus noted.

This timing effectively adds to the potency of such a vulnerability, especially considering such a wide base that could be affected, said Derek Manky, lead threat researcher for Fortinet.

"Suffice to say that this has the potential to be big," he told TechNewsWorld.

Browser Wars

This exploit drives home -- yet again -- how vulnerable an otherwise strong Internet security policy can be to a weak browser, Paul Judge, CTO and cofounder of Purewire, told TechNewsWorld.

There's much to be appreciated about Web 2.0, he said, but many of these applications can also serve as vectors for malware.

"Browsers have become the most vulnerable link in the Internet security landscape," he noted.

Indeed, it is little wonder that Google developed and released Chrome, Wolfgang Kandek, CTO of Qualys, told TechNewsWorld. "Google is dependent on having consumers use a safe browser."

Microsoft has not yet developed a patch. Right now, security firms are offering piecemeal suggestions to protect against the vulnerability. Microsoft is suggesting users unregister oledb32.dll, but even this will not necessarily block the vulnerability.

Salesforce is a Leader in the Gartner Magic Quadrant 2019 for Digital Commerce
How concerned are you about online disinformation during the U.S. presidential election cycle?
Very concerned -- Internet companies haven't done enough to address the issue.
Very concerned -- there's really no effective way to counter it.
Somewhat concerned -- companies have stepped up to lessen the impact.
Somewhat concerned -- voters are less naive this time around.
Not at all concerned -- the threat is overblown.
Not at all concerned -- voters have learned to fact-check for themselves.
Amazon Advertising: Strategies to Drive Success
Salesforce is a Leader in the Gartner Magic Quadrant 2019 for Digital Commerce