Microsoft and the Internet security community are trying to get a handle on a vulnerability that exposes Internet Explorer to the threat of zero day attacks. When the problem was first discovered — only a few days after December’s Patch Tuesday — there was confusion about how the exploit worked, as well as which versions of IE were impacted.
Microsoft’s investigation so far has revealed attacks on the following IE versions:
Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.
In addition, these IE versions are potentially vulnerable: Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows.
Crash and Burn
The vulnerability is an invalid pointer reference in the data binding function of Internet Explorer. In its default state — when data binding is enabled, that is — certain conditions allow the release of an object without updating the array length, which makes it possible to access the deleted object’s memory space.
This can cause Internet Explorer to exit unexpectedly in a state that is exploitable.
In other words, someone could attack IE 7 by filling the process stack with a tremendous amount of memory, explained Jeff Debrosse, research director at ESET.
When IE subsequently crashes, it’s left in a state that makes it vulnerable to a remote exploit, he told TechNewsWorld.
Hackers would then be able to inject a wide variety of malware — for example, keyloggers or hijackers — into a system.
Incorrect handling of certain XML tags appears to be the trigger, said Dave Marcus, director of security, research and communications for McAfee Avert Labs.
“That is all we have been able to verify at this point — it is what we have seen working in the field,” he told TechNewsWorld.
The combo of the bug and a certain way of viewing XML appears to be how this vulnerability works, Debrosse agreed.
By setting the exploit loose just days after Microsoft released its Patch Tuesday fixes, the hackers gave themselves time to wreak maximum damage. The zero-day nature of the exploit, it hardly needs to be said, makes it very bad.
“Any time you have an unpatched vulnerability that is publicly disclosed, along with a working exploit code, that is very dangerous, Marcus noted.
This timing effectively adds to the potency of such a vulnerability, especially considering such a wide base that could be affected, said Derek Manky, lead threat researcher for Fortinet.
“Suffice to say that this has the potential to be big,” he told TechNewsWorld.
This exploit drives home — yet again — how vulnerable an otherwise strong Internet security policy can be to a weak browser, Paul Judge, CTO and cofounder of Purewire, told TechNewsWorld.
There’s much to be appreciated about Web 2.0, he said, but many of these applications can also serve as vectors for malware.
“Browsers have become the most vulnerable link in the Internet security landscape,” he noted.
Indeed, it is little wonder that Google developed and released Chrome, Wolfgang Kandek, CTO of Qualys, told TechNewsWorld. “Google is dependent on having consumers use a safe browser.”
Microsoft has not yet developed a patch. Right now, security firms are offering piecemeal suggestions to protect against the vulnerability. Microsoft is suggesting users unregister oledb32.dll, but even this will not necessarily block the vulnerability.