New Internet Explorer 0-day Vulnerability and Targ

The vulnerability in Internet Explorer is very similar to other vulnerabilities we have seen in Microsoft's browser in that it allows the attacker to do a drive-by download attack. This means that it's enough for the user to visit a website or view a specially crafted HTML email to be infected. Unfortunately it also means that it's just a matter of time before we are going to see large scale attacks using the new vulnerability.

Limited public use

Over the weekend our ThreatSeeker(TM) network identified limited public use of the new vulnerability. The malicious page was hosted on http://66cc.[REMOVED]:2988/dz/ie.html but has since been taken offline. Below is a screenshot of the example code:

Protection

Websense includes active protection in our Web Security Gateway to protect against any attack that uses this vulnerability so our customers are protected. Below is a screenshot of one of our internal tools and how it deobfuscates the attack page.

Technical details

The problem lies in how Internet Explorer handles accessing memory regions after it's freed and corrupted combined with a heap spray attack. When an event is fired by image loading or by clicking a link, the exploit clones the event object using the "document.CreateEventObject()" javascript method. After that it references the compartment where the event is originating using "document.getElementById()" method and destroys the object by assigning some random string object. Now the event it cloned is invalid. However, the javascript engine isn't cleaning up very well and the data can still be accessed from the freed memory within the JavaScript virtual machine. The exploit then tries to access the corrupted memory by "srcElement" property of the object. As we mentioned, the object is already freed and the memory it took might have some random data. The exploit is calling a delay function to wait until the memory is garbage collected and reused.

The property access using srcElement is actually interpreted as a kind of a method call and the actual call that is issued is inside mshtml.dll. The method name is "CEventObj::GenericGetElement" which tries to access the element from the event object. And it will try to call the method from the corrupted object's vtable. This method will call "CElement::GetDocPtr" method which looks like following.

When this method is called ecx is already corrupted to point inside pre-allocated heap-sprayed area and call instruction will move eip to that heap-sprayed area. And the malicious shellcode will finally take control of the mother ship. The public exploit only works reliably on Internet Explorer 6. However, Internet Explorer 7 is also vulnerable in its default configuration. Internet Explorer 8 is not due to DEP being activated by default.

This analysis is based on public exploit code available on the Internet. The exploit has also been added to the Metasploit Framework. We are also working with Microsoft to identify websites using the new vulnerability by using our ThreatSeeker(TM) network that scans hundreds of millions of websites on a daily basis.

We will keep updating this blog post as we find new information.