(LiveHacking.Com) – While investigating reports that the Council on Foreign Relations (CFR) website had been compromised, FireEye discovered that the site was hosting malware that exploited a previously unknown (zero-day) vulnerability in Internet Explorer 8. The attack seen by FireEye uses Adobe Flash to generate a heap spray attack against IE. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild. A successful exploit, which is normally triggered by getting a victim using IE 8 to browse a malicious website, allows remote code execution. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help defend from this vulnerability. However neither IE 9 or IE 10 is available for Windows XP users.
The vulnerability exists because of the way that Internet Explorer accesses a previously deleted chunk of memory. The vulnerability can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. By making a specially crafted website, that is designed to trigger an exploit, the vulnerability can be used when an Internet Explorer 6,7 or 8 user is convinced/tricked into viewing the site.
What can you do?
Aside from upgrading to IE9 and IE 10 and while IE 8 users are waiting for a patch, IE users can can block the current targeted attacks by disabling the attack vectors:
- Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
- Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.
Of course trying to use IE8 with Javascrit disabled is probably next to impossible. So while Microsoft are working on a comprehensive update to IE there is a trick which Microsoft is releasing as a Fix It. The trick does not address the vulnerability but does prevent the vulnerability from being exploited for code execution by making a two-byte change (to replace a je instruction with a jmp) to mshtml.
Known as a shim, the change may have the side effect in some circumstances of the default form button not being selected by default.
The shim is currently being packaged and code-signed as a one-click, deployable Microsoft Fix It tool. The 32-bit and 64-bit shims are attached to this blog post and also available at the following URLs:
- mshtml_shim32.sdb (SHA1: 695750970F6595D247FA30775579BD22E034252B)
- mshtml_shim64.sdb (SHA1: 29444332522F8F06A88953071B3BA13C14FBD70A)