Researchers have uncovered active malware attacks that exploit a critical and previously unknown vulnerability in the latest versions of Microsoft’s Internet Explorer browser.
The attacks are being waged by the same malware group that recently exploited a separate, zero-day vulnerability in Oracle’s Java software framework. The attacks install the Poison Ivy backdoor trojan when unsuspecting people browse a booby-trapped website using a fully patched version of Windows XP running the latest versions of IE 7 or IE 8, according to a blog post published Monday Morning b Jaime Blasco, a researcher with security firm Alien Vault.
The underlying vulnerability can be exploited on many computers running Windows Vista and Windows 7, and it also affects version 9 of the Microsoft browser, said HD Moore, CSO of security firm Rapid7 (and the chief architect of the open-source Metasploit tool kit used by penetration testers and hackers). He said a Metasploit module researchers already added to the framework works against the later operating systems when Oracle’s Java Standard Edition 6 or Microsoft’s Visual C runtime library is installed. The software add-ons make otherwise protected systems vulnerable by allowing attackers to bypass a malware defense known as ASLR, or address space layout randomization, that debuted in Windows Vista.
“What may be most worrying is that Windows Vista and 7 don’t protect you,” Moore told Ars. “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got to work across every one of these platforms.”
The exploits circulating in the wild may be relying on other methods to override the more limited defenses included in the Service Pack 3 version of Windows XP. According to Eric Romang, the researcher who disclosed the IE attacks over the weekend, they require the victim to be running Adobe’s Flash Player, possibly to carry out what’s known as a “heap spray” (another technique for bypassing ASLR). The attacks are being carried out by the same gang that waged the recent stealth attacks against critical vulnerabilities in Java. The files used in the latest wave of attacks (cataloged here, here, here, and here) had little or no detection by the 34 most widely used antivirus programs, at least at the time Romang published his blog post. It wouldn’t be surprising for detection to ramp up quickly in the next few hours.
A Microsoft representative said that company engineers are investigating the reports and didn’t have an immediate comment for this article.
Windows users should avoid using IE until more is known about the vulnerability. As Ars has counseled before Java should be kept up-to-date or uninstalled altogether if users don’t rely on it to enable other software to work. For users who are unable or unwilling to uninstall Java, updating to Java Standard Edition 7 appears to be another way to remain protected from this threat, although it immediately opens users up to a separate critical vulnerability in Java that Oracle has yet to publicly acknowledge.
Moore said the attacks are exploiting a use-after-free vulnerability in IE that allows attackers to create an image URL that references uninitialized memory. The in-the-wild attacks appear to be targeting only Windows XP systems. But with release of Metasploit code that works on a much wider array of platforms, it wouldn’t be surprising to see attacks target those systems as well.
Even when people don’t actively use IE, many utilities and third-party applications make use of IE code. That opens the possibility that people on public WiFi systems and other unsecured networks could inject malicious code into a victim’s Web traffic in an attempt to exploit the vulnerability.
“Just keep in mind that even if you don’t use IE for day-to-day browsing, a lot of tools you use do embed IE and those are vulnerable,” Moore said.