New zero-day bug targets IE users in drive-by attack

Computers infected with malware after visiting a "strategically important Web site," security firm FireEye warns.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

A pair of vulnerabilities in Internet Explorer are currently being exploited in the wild to install malware on computers that visit at least one malicious Web site, security researches warn.

The classic drive-by download attack targets the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, security firm FireEye warned in a company blog post Friday. However, the security researcher wrote that its analysis indicated that other languages and browser version could be at risk.

"The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages," FireEye researchers Xiaobo Chen and Dan Caselden wrote. "Based on our analysis, the vulnerability affects IE 7, 8, 9 and 10."

The second of the two holes is an information leakage vulnerability that is used to retrieve the timestamp from the program executable's header.

"The timestamp is sent back to the attacker's server to choose the exploit with a ROP chain specific to that version of msvcrt.dll," the pair wrote. "This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9."

The exploit's "ROP chain," or return-oriented programming, is a technique for disguising executable code from security defenses.

FireEye wrote in a follow-up post that further analysis found that the exploit was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly "into a strategically important website, known to draw visitors that are likely interested in national and international security policy."

Further distinguishing this exploit from others is that the payload was delivered without first writing to disk, a technique that "will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods," the researchers wrote.

"Specifically, the payload is shellcode, which is decoded and directly injected into memory after successful exploitation via a series of steps," FireEye researchers wrote in the latest post. "By utilizing strategic Web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive. APT actors are clearly learning and employing new tactics."

FireEye did not identify the affected Web but said the attacks can be mitigated by using Microsoft's Enhanced Mitigation Experience Toolkit (EMET).