0-day exploit for Internet Explorer in the wild

0-day exploit for Internet Explorer in the wild
As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing: The user has to be running Internet Explorer The version of Internet Explorer has to be 7 The operating system has to be Windows XP or Windows 2003 If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors. We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista). How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary. -- Bojan	Bojan 392 Posts ISC Handler Dec 10th 2008
Subscribe	Dec 10th 2008 1 decade ago
Just a little reminder to those that use IE7 daily; please remember to upgrade / patch your \"backup browser\" before you start using it! ;)	dotBATman 64 Posts
Quote	Dec 11th 2008 1 decade ago
For those of you that use Websense at the enterprise level, I suggest adding the list of domains and harness it to protect your network.	DemiGuru 5 Posts
Quote	Dec 11th 2008 1 decade ago