Page 1 of 2
This week's zero-day threat involving multiple versions of Internet Explorer may frequently leverage the presence of Java on the infected machine.
The memory corruption vulnerability, which was acknowledged on Monday by Microsoft, impacts versions 7, 8 and 9 of Internet Explorer; however, version 10, the most recent rev, appears to be unaffected at this point.
It is possible that the current attack is being run by the same group that has been using a widely-publicized Java vulnerability, given that researchers have found that the Metasploit-based version of the attack uses Java as a means of supporting the deployment of Poison Ivy malware, a remote administration tool.
According to Marc Maiffret, CTO at BeyondTrust, the attack currently being executed into the wild begins with a malicious website that determines which version of IE the host system is running. It then loads additional software to perform a heap spray and load an iframe. Protect.html is then loaded to trigger the vulnerability, at which point Poison Ivy is downloaded. A successful exploit leads to the ability to execute remote code.
"You essentially need to get a bunch of your attacker-supplied code loaded into memory on Internet Explorer," explained Maiffret. "You can do that through leveraging something like Flash, or in the case of the Metasploit attack, they're using Java. So, it's interesting to note that if you don't have Java, you're not vulnerable to this as a Metasploit attack.
Maiffret continued, "You allocate a whole bunch of memory, and when you leverage the vulnerability, you point the execution of the software back to the memory that you allocated, which has are malicious code. This is about bypassing the memory protections in Windows 7 in order to make the exploit work."
Windows has protections around predictable memory addresses. Java satisfies this requirement in the Microsoft software and thereby helps to enable the attack. At this point, Java has been most closely linked to the Metasploit version of the attack, according to Maiffret.
The attack comes on the heels of Microsoft's September Patch Tuesday, sparking initial concerns that IE users might have to wait three weeks for a patch. But on Tuesday afternoon, Yunsun Wee, director of Microsoft Trustworthy Computing, issued a statement indicating that a patch would be available "in the next few days."
"Given what we are seeing in the news, the level of discomfort in IT and the fact that we have active exploits going on, I'm sure there's a big push at Microsoft to get this out sooner than later," said Andrew Storms, director of security operations for nCircle. "This is aimed at IE 9 through six, which probably represents about 90 percent of the IE market, if not more. IE 10 does not seem to be vulnerable to this. We're not sure why, but I suspect it's a case where it was already found and fixed."