Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Internet Explorer Microsoft Security News

New IE Zero-Day Being Exploited In the Wild 134

wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."
This discussion has been archived. No new comments can be posted.

New IE Zero-Day Being Exploited In the Wild

Comments Filter:
  • by minstrelmike ( 1602771 ) on Monday September 17, 2012 @06:27PM (#41368443)
    I'm shocked. Shocked I tell you.
    • by Anonymous Coward

      I'm shocked. Shocked I tell you.

      Clearly we should stop supporting all browsers before IE12 and Firefox 39725.1

    • by DarkOx ( 621550 )

      I know you were going for funny but, well "I am shocked."

      Microsoft has taken IE security pretty seriously and has established a pretty darn good track record with IE7->9 so far, at least on ASLR enabled platforms. I am surprised to see a reliable exploit that can be implemented as a drive-by on otherwise current platforms. This going to be a big deal and likely force an off cycle patch.

    • One of these devs [] was on the job.
    • Re:I/E 9 at risk (Score:5, Insightful)

      by girlintraining ( 1395911 ) on Monday September 17, 2012 @06:53PM (#41368751)

      I'm shocked. Shocked I tell you.

      Almost every major browser in use has had a vulnerability. Those that haven't are vulnerable because of commonly-used plugins. It's not just IE9, it's browsers in general... it's the repeated and systemic perversion and added complexity of trying to turn the web into the end-all and be-all of the internet. When it was created, the uses for it were not as complicated as they are now.

      It's the complexity of the web that is its vulnerability -- I honestly don't think there's a way to write a truly-secure web browser because everything from the protocols up have been shoehorned into things they were never designed to do. The entire thing needs to be jettisoned -- html, css, xml, http, ssl, everything. We need to start over from scratch, and build a new set of protocols and specifications, not just continually band-aid over existing ones. And this time, security needs to be a design consideration from the start, not evolved in.

      Anyone with an understanding of information systems' security will tell you -- security needs to be built in from the start or it doesn't matter how much effort you put in later, you're going to be chasing down problems forever. Start with a secure and vetted design and it's a lot more likely to perform. Of course, real security would mean that governments, corporations, and other interested parties wouldn't be able to snoop on what you're doing -- anything sent in the clear can be screwed with. Oh... and it wouldn't be as convenient as it is today; You'd have to think about what you were doing, instead of blithering about and when you get "hacked" blaming everyone but yourself.

      Real security would mean no more excuses... from anyone. That's why you won't exactly be seeing a parade down main street anytime soon congratulating people on making computers more secure; Responsibility? Not on MY internet!

      • by Anonymous Coward
        The entire thing needs to be jettisoned? Start over from scratch? The odds of that happening to the web are about the same as the odds of that happening with the government. It sounds good, but it's far from practical.
      • Running web browsers in a well-written sandbox with only very careful access to "the outside machine" will help keep browser bugs from turning into system-wide vulnerabilities.

        Sure, someone may take over your browser and turn it into DNS-generation-engine, but once you quit your browser, anything left over will require a social-engineering attack ("download catpics.exe and after you quit your browser, run it!") to continue living.

        While no sandbox is perfect [], there is (hopefully) a smaller and better-enginee

    • Yeah, I put this right beside those users that posted to tell me "Oh IE isn't fragmented, you just have to buy the latest OS to use it!" wow, really? No shit.

      The sad part is I at this point really don't have much in the way of sympathy anymore for anyone using IE and getting boned. this is like a dog walking out in front of a car and getting hit again and again, sooner or later you just figure its Darwin's way of thinning the herd of the dumbasses in the breed.

      The only nice thing I can say about IE is thank

      • by mcgrew ( 92797 ) *

        but every. single. time. I've had a user tell me they have "A problem with Internet explorer" I open the thing up and its got more toolbars and other malware bullshit than you can even count, anybody stupid enough to use IE while the spyware and toolbars and other shit just keeps piling up deserves what they get.

        Heh, a friend told me the other day he broke his monitor with his mouse; his XP PC had slowed to a crawl after he let his daughter in law use it. I looked at it for him, it was full of useless crud

        • Easy way to get them off IE, without having to resort to Kubuntu (which is a BAD idea unless you want to be their 24/7/365 tech support BTW, because they'll drive you batshit wanting some Windows this or that software to run or because something is "acting funny" which is actually its default behavior and just different) is to give them Comodo Dragon with ABP and the ForecastFox extensions.

          This way they have a browser that's fast like Chrome but with no phone home, if you take the default option that has th

  • ... as long as it doesn't strike in those first few minutes where I have a freshly installed system and am using IE to download FIrefox (IE is great for this, by the way!) ... then I should be safe!

    • I think this actually requires you to visit a poisoned web site.

      So, unless the web site or torrent that you are getting Firefox from is compromised, you should be okay.

      • by jafiwam ( 310805 )

        Not really.

        Compromised ad servers seem to happen often enough still. People have in not so recent past gotten infected from not so dangerous sites such as

        Some sites are such morasses of server calls to other places all jumbled in one page it defies description. True, someone visiting the same four sites is going to be OK, but someone visiting Facebook (as an example) may very well be exposed.

    • windows key + r cmd ftp cd /pub/ get "Firefox Setup 15.0.1.exe"
  • Day Zero (Score:4, Funny)

    by puddingebola ( 2036796 ) on Monday September 17, 2012 @06:35PM (#41368535) Journal
    Been saing for years that if we'd just get rid of day zero on the calendar that so many security concerns could be solved, but instead we get yet another vulnerability. How did this happen on day 260?
  • by Anonymous Coward


  • Getting fed up (Score:5, Interesting)

    by gravyface ( 592485 ) on Monday September 17, 2012 @06:50PM (#41368701)
    of shoddy browser security. Could this not be "solved" with proper sandboxing? If there's legacy code to support (this has been cited many times in the past for reasons why), please, please fork IE into two branches: IE Classic or whatever that's fully backwards compatible, and an IE Lite that's completely sandboxed and locked down for wide-spread corporate deployment.
    • Not just IE. All of Windows could be sandboxed. Exe should not be able to modify files outside their own install directory. Leave legacy support for old trusted .exes though.
      • And it is that "legacy support" that is causing half the problems of Windows. It's never good to support legacy, at least, not without very careful consideration. Considering sandboxing though, it might just be alright to have all the legacy stuff in a VM-like environment entirely and have your host system be something a lot more stable. That just sounds like having linux host + windows guests though.
      • True, true. And simple also. Just have all the routers do DPI on the traffic, and if it is from a Windows machine, then just drop the packet.
    • You and me both! Just how many times has IE been patched to plug a "full remote code execution" bug? How many more damn times must we see a zero-day IE exploit that can render total ownage of an OS?

      Defective by design indeed!

      • Actually there have been 30+ exploits in Firefox between 3.6 and the current release over the year and a half!

        They are everywhere and nupen came to fame earlier this year from cracking Chrome. It is not a design flaw per say as IE 9 is sanboxed. It is hard when you have JIT javascript, flash, and java which job is to ACTUALLLY EXECUTE on the given platform.

        According to the exploit it needs flash or java to spray the sandbox heap until the sandbox eventually gets compromised. So that is the problem right the

  • They (as in the bad guys) named their main attack vector "exploit.html?" Yeah -- nothing suspicious-sounding about that one.
  • I have a question. Does the exploit work on Win 7 machines or just Win XP?

    Yes I RTFAed. It doesn't really spell out what combo of IE and Windows are vulnerable.
  • by planckscale ( 579258 ) on Monday September 17, 2012 @06:58PM (#41368803) Journal
    This exploit has been targeting chem and defense companies. The thing about these exploits is that they typically are just a method to drop the actual payload which is usually a virus or trojan. In this case it looks like the payload is Poison Ivy, which was added to NOD32 AV defs back in 2008. Yes, the attacker could compromise the machine and get admin shell, but the majority of the time they’re installing a keylogger or other virus which NOD32 will catch.

    From TFA:

    First, a file named “exploit.html” appears to be the entry point of the attack, which loads “Moh2010.swf”, an encrypted Flash file that it decompress in memory.

    According to AlienVault's Jaime Blasco, the payload dropped is Poison Ivy, as was the case with the previous Java zero-day. Poison Ivy is a remote administration tool (RAT) that was used the Nitro attacks that targeted chemical and defense companies. Interestingly, after exploitation, the attack loads “Protect.html”, a file that checks to see if the Web site is listed in the Flash Storage settings, and if it is, the Web browser will no longer be exploited despite additional visits to the malicious site.

  • Some say a diamond is forever.

    I'd say the same about "the zero-day season" at least with respect to systems like Windows as we know it + commonly used 3rd party applications as we know them.

  • How is that possible? Isn't "new" and "zero-day" mutually exclusive?
    • by ameoba ( 173803 )

      No - redundant.

      • A Zero Day exploit is one that has not been released to the public or manufacturer. There are 0 days of public awareness of the exploit. Once released it's Day 1, and that counter increments until the exploit is fixed.
        The term has since changed, and now a 0-day seems to be any unpatched vulnerability, no matter how long the public/manufacturer have been aware of it.
        Under the old definition (which actually makes sense) news about a 0-day is impossible, since once it's in the news it's not a 0-day anymore. Th
  • by fast turtle ( 1118037 ) on Monday September 17, 2012 @07:39PM (#41369261) Journal

    Yes I RTFA and didn't see any information on whether IE9-64 is affected. Pretty lousy of the tester to not bother indicating if the problem is only with the 32bit version as the 64bit has a better baseline security configuration. Due to these issues, it's just one of the reasons I also use Palemoon64. Improved security such as full ASLR along with DEP support so I'm hopefull this does not affect IE9-64 due to the limited number of folks actually using it.

  • So as long as I don't visit a page called exploit.htm I should be ok?
  • by Trogre ( 513942 ) on Monday September 17, 2012 @09:17PM (#41370057) Homepage

    Isn't IE that tool people use to download Firefox?

    • by tqk ( 413719 )

      Isn't IE that tool people use to download Firefox?

      (0) kiak /home/keeling_ aptitude search explore
      p bzr-explorer - GUI application for using Bazaar
      p emboss-explorer - web-based GUI to EMBOSS
      p kzenexplorer - manage tracks and playlists on Creative La
      p swac-explore - audio collections of words (SWAC) explorer
      p tracker-explorer - metadata database, indexer and search tool
      (0) kiak /home/keeling_ which firefox

      Nope. "Oh. My. Gawd! Another IE zero day exploit!" Well, if you weren't using the !@#$ it wa

      • [root@server ~]# aptitude search explore
        -bash: aptitude: command not found
        [root@server ~]# which firefox /usr/bin/which: no firefox in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)


        • by tqk ( 413719 )

          apt-get install aptitude && aptitude update && apt-get install iceweasel && HTH. # Enjoy. :-)

          FF was installed with the OS when I reinstalled recently. Tooduls.

  • does anyone actually use IE when they don't have to?
    • by tqk ( 413719 )

      does anyone actually use IE when they don't have to?

      I've known people who thought IE was the Internet. No amount of $BASEBALLBAT could sway them from that belief. There's people on /. who think they'll never have to give up on XP.

      Hence, Win* malware. It's some weird, deficient intellect related, form of masochism is all I can think. Whatever floats your boat, I guess.

      • There are also actually some useful features of IE that no other browser has be default (there are halfway-there implementations of some in Firefox extensions, and full implementations of a few others). I use IE, Firefox, and Chrome on a daily basis (Opera and Safari are also installed but rarely get used). For example, I prefer the built-in tab management in IE over both of the others, although I'm a little annoyed that they disabled Quick Tabs by default in IE9 (easy to restore it though). This is one are

        • by tqk ( 413719 )

          There are also actually some useful features of IE that no other browser has [by] default ...

          Yeah, like ready and willing access to an underlying OS which can't be bothered to protect itself from malware. Are you a malware author/distributor? I'll bet they love IE.

          The lower classes have a couple of words they use that describes IE's behaviour wrt women. They start with a 'w' or an 's'.

          Actually, I've no real problem with IE; it's a web browser. I blame its underlying OS's fragility.

  • Does this exploit work if you're running a modern Internet security suite such as the new Norton Internet Security 2013 with all anti-malware definitions up to date? Mind you, my default web browser on my desktop and laptop is Google Chrome 21.0.1180.89, the current "stable" release version.

    • I'm sure once the anti-malware vendors update their signatures in a few days they will detect it, but for now its fair game. The problem with anti-malware/anti-virus software as that they are purely reactive, they really don't help much against zero-day attacks.
      • I'd almost agree, but most companies that sell Internet security software update their definitions many times a day around the clock. In fact, in Norton Internet Security 2013 on my desktop and laptop computers, the updates occur at least 7-8 times per days for the latest anti-malware definitions.

        • I don't know what they are updating, but they certainly are not pushing signature updates 7-8 times a day. Not enough new threats come out every day to warrant that kind of update cycle.

          FWIW, I don't even see an official product page for the "2013" version, which makes me think you might be running a trojan and the 2012 version only updates every few days [], which is typical.
          • I'm running the 2013 version, given it was directly downloaded from Symantec's own web site. :-) The release version (which came out a week ago) is In fact, I found out that NIS 2013 can do "pulse" updates of anti-malware definitions about 2-3 rimes per hour.

  • by seandiggity ( 992657 ) on Monday September 17, 2012 @11:21PM (#41370867) Homepage
    But I thought they turned on that "Do Not Hack" HTTP header??
  • This exploit gains the privileges of the running user on Windows Vista and 7. The entire point of all the "allow/deny" popup BS with UAC was because they wanted to restrict processes to the lowest privilege necessary. IE is supposed to be a high-risk, sandboxed application and yet this exploit magically gets around it and gains access to the full user's account, which probably has admin rights on the machine. MS does not understand security. You don't start out by giving a user admin rights, you make th
  • I wonder, given many people here are convinced it's a dying product, why a story like this makes the front-page? Either IE is popular so news like this is important, or IE is a side-lined product that has no seems that narrative changes depending on if the news is good or bad.

    I find it curious we rarely hear about new major product releases from MS, but the second there's a vulnerability it's the top story. Are we interested in IT or just IT that isn't MSFT tech? There's a difference.

    Meh, wha

You can measure a programmer's perspective by noting his attitude on the continuing viability of FORTRAN. -- Alan Perlis