New IE Zero-Day Being Exploited In the Wild 134
wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."
Re:Question: (Score:5, Informative)
exploit yes, virus no (Score:5, Informative)
From TFA:
First, a file named “exploit.html” appears to be the entry point of the attack, which loads “Moh2010.swf”, an encrypted Flash file that it decompress in memory.
According to AlienVault's Jaime Blasco, the payload dropped is Poison Ivy, as was the case with the previous Java zero-day. Poison Ivy is a remote administration tool (RAT) that was used the Nitro attacks that targeted chemical and defense companies. Interestingly, after exploitation, the attack loads “Protect.html”, a file that checks to see if the Web site is listed in the Flash Storage settings, and if it is, the Web browser will no longer be exploited despite additional visits to the malicious site.
Re:Does this include IE9-64? (Score:5, Informative)
Yes, IE9-64 is affected by the vulnerability. Whether exploits in the wild will succeed against it is another question...