iTWire - Latest Internet Explorer vulnerability 'in the wild'

Latest Internet Explorer vulnerability 'in the wild'

By David Heath
Wednesday, 25 November 2009 05:55

Exploit code for the newest vulnerability (called "HTTP IE Style Heap Spray BO") is widely available on the Internet, should anyone wish to look for it.

A few days ago, BugTraq published the latest Internet Explorer exploit.

According to VUPEN, "A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused due to a memory corruption error in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

"VUPEN has confirmed the vulnerability on fully patched Windows XP SP3 systems with Internet Explorer 7 and 6."

In addition, Symantec has noted that "The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content. Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is working on new signatures now. Symantec IPS protection also currently detects this exploit with signatures HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious Javascript Heap Spray BO. A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit."

Symantec also observes that "The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer."

Microsoft is aware of the issue, but has not yet made a patch available – hopefully it will appear in the next Patch Tuesday updates (due in a couple of weeks). In the mean-time, iTWire strongly recommends that all readers using Internet Explorer V6 or V7 ensure their virus scanning software is up to date. In addition, the usual warning applies – don't visit strange web sites!

Finally, users may wish to disable Active Scripting in the Internet and Local Intranet security zones of Internet Explorer.