Home » Technology News » Zero Bug Link

Zero Bug Link

New zero-day bug targets IE users in drive-by attack

Computers infected with malware after visiting a “strategically important Web site,” security firm FireEye warns.

Steven Musil

A pair of vulnerabilities in Internet Explorer are currently being exploited in the wild to install malware on computers that visit at least one malicious Web site, security researches warn.

The classic drive-by download attack targets the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, security firm FireEye warned in a company blog post Friday. However, the security researcher wrote that its analysis indicated that other languages and browser version could be at risk.

“The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages,” FireEye researchers Xiaobo Chen and Dan Caselden wrote. “Based on our analysis, the vulnerability affects IE 7, 8, 9 and 10.”

The second of the two holes is an information leakage vulnerability that is used to retrieve the timestamp from the program executable’s header.

“The timestamp is sent back to the attacker’s server to choose the exploit with a ROP chain specific to that version of msvcrt.dll,” the pair wrote. “This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9.”

The exploit’s “ROP chain,” or return-oriented programming, is a technique for disguising executable code from security defenses.

FireEye wrote in a follow-up post that further analysis found that the exploit was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly “into a strategically important website, known to draw visitors that are likely interested in national and international security policy.”

Further distinguishing this exploit from others is that the payload was delivered without first writing to disk, a technique that “will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods,” the researchers wrote.

“Specifically, the payload is shellcode, which is decoded and directly injected into memory after successful exploitation via a series of steps,” FireEye researchers wrote in the latest post. “By utilizing strategic Web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive. APT actors are clearly learning and employing new tactics.”

FireEye did not identify the affected Web but said the attacks can be mitigated by using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

Outage Alerts

On Sunday, March 2nd, from 7 AM to 9 AM,... Read More

Security Alerts

Scheduled Outages

Routine Maintenance

OIT performs routine maintenance on servers and systems every Sunday from 8 a.m. to noon. Many IT services may be offline intermittently during this time. Network access and computing resources availability (Banner, E-Learning, Exchange server, etc.) may also be affected. Since this is a low-usage period, fewer UA customers will be impacted. For questions, contact the IT Service Desk at (205) 348-5555 or itsd@ua.edu.

Known Issues

The Known Issues Page is a checkpoint for our IT partners across campus. The page lists software compatibility issues and known fixes.