EmailSafety.net - Researchers up ante, create exploits for IE7, IE8

Researchers up ante, create exploits for IE7, IE8

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's recommended defensive measure is turned on.

Microsoft , however, continues to urge users to upgrade from the eight-year-old IE6 -- the only version yet successfully attacked in the wild -- to the newer IE7 or IE8.

On Sunday, Dino Dai Zovi, a security vulnerability researcher and co-author of The Mac Hacker's Handbook , crafted attack code that exploits the unpatched vulnerability in IE7 when it's running on either Windows XP or Windows Vista.

"And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in," said Dai Zovi on Twitter.

Related Content

"My version [of the exploit] implements a different heap manipulation algorithm," said Dai Zovi in a telephone interview today. "It works on IE7 on XP and Vista because the browser doesn't opt in on DEP [data execution prevention]."

In fact, said Dai Zovi, even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007. "IE still does not opt in on DEP for those" operating system editions, Dai Zovi noted.

Users can manually switch on DEP -- a move that Microsoft recommended in the security advisory it issued last week -- but without that tweak, most Windows users are open to attack, if not by the original exploit then by follow-ups like Dai Zovi's.

In fact, even DEP can be circumvented, a point the French firm VUPEN Security made today. "While the public exploit only targets Internet Explorer 6 without DEP, VUPEN Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."

Although Vulpen has created an exploit that works on IE8 with DEP enabled, it's not releasing the attack code to the public; instead, it will offer the exploit only to legitimate security vendors for penetration testing purposes.

Because Vulpen's means of bypassing DEP relies on JavaScript, the company recommended that users disable Active Scripting in IE until a patch is available.

There are other ways to do an end-around DEP, said Dai Zovi. "There have been techniques to totally bypass DEP in the public for almost two years now," he said, adding that he plans to discuss his own circumvention method during a presentation at the RSA Conference in early March.

When asked about Vulpen's report of bypassing DEP, a Microsoft spokesman said the company is "investigating claims of the ability to bypass the Data Execution Prevention (DEP) feature in Internet Explorer." Microsoft will "take appropriate action" once it's looked into the matter, the spokesman added.

Yesterday, the company gave its strongest hint yet that it will release a patch for the IE flaw before Feb. 9, the next regularly-scheduled Patch Tuesday.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites