Attackers Feast on 0-day Exploit for IE 7, 8 and 9 On Windows XP, Vista, and 7
A new 0-day exploit enabling remote code execution in Internet Explorer 7, 8, and 9 on Windows XP, Vista and Windows 7 could let attackers execute malicious code in the context of the current user. Attackers could craft websites that take advantage of a vulnerability in the way Internet Explorer accesses objects that have been deleted or improperly allocated.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” says the Microsoft Security Advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The Java exploit that plagued Firefox a couple of weeks back seems related to the newly discovered IE exploit. Shortly after the news broke, Oracle released a patch plugging the breach, only to have a new one emerge for Internet Explorer 7, 8 and 9.
Although Microsoft warns that Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 should not be affected because IE runs in enhanced security configuration mode, XP, Vista and 7 are vulnerable. With 41% of North Americans and 32% of worldwide internet users relying on Internet Explorer, the 0-day exploit could affect millions.
An iframe that uses the Internet Explorer vulnerability to run the shellcode in the system memory could be dropped by any website rigged for this specific purpose. Users are asked to switch to a different browser for now, until a patch is distributed by Microsoft.
“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” says Microsoft. “In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
The main vector for spreading links towards compromised websites could be spam aimed at convincing users to visit the websites. By the time the bug is fixed, the Metasploit team will have already stitched together a working exploit for enthusiasts to fiddle around with.