Researchers up ante, create exploits for IE7, IE8

IE6 isn't the only version vulnerable; Microsoft';s mitigations "weak" argues expert

Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's recommended defensive measure is turned on.

Microsoft , however, continues to urge users to upgrade from the eight-year-old IE6 -- the only version yet successfully attacked in the wild -- to the newer IE7 or IE8.

On Sunday, Dino Dai Zovi, a security vulnerability researcher and co-author of The Mac Hacker's Handbook , crafted attack code that exploits the unpatched vulnerability in IE7 when it's running on either Windows XP or Windows Vista.

"And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in," said Dai Zovi on Twitter.

"My version [of the exploit] implements a different heap manipulation algorithm," said Dai Zovi in a telephone interview today. "It works on IE7 on XP and Vista because the browser doesn't opt in on DEP [data execution prevention]."

In fact, said Dai Zovi, even the newest IE8 isn't safe from attack if it's running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007. "IE still does not opt in on DEP for those" operating system editions, Dai Zovi noted.

Users can manually switch on DEP -- a move that Microsoft recommended in the security advisory it issued last week -- but without that tweak, most Windows users are open to attack, if not by the original exploit then by follow-ups like Dai Zovi's.

In fact, even DEP can be circumvented, a point the French firm VUPEN Security made today. "While the public exploit only targets Internet Explorer 6 without DEP, VUPEN Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."

Although Vupen has created an exploit that works on IE8 with DEP enabled, it's not releasing the attack code to the public; instead, it will offer the exploit only to legitimate security vendors for penetration testing purposes.

Because Vupen's means of bypassing DEP relies on JavaScript, the company recommended that users disable Active Scripting in IE until a patch is available.

There are other ways to do an end-around DEP, said Dai Zovi. "There have been techniques to totally bypass DEP in the public for almost two years now," he said, adding that he plans to discuss his own circumvention method during a presentation at the RSA Conference in early March.

When asked about Vupen's report of bypassing DEP, a Microsoft spokesman said the company is "investigating claims of the ability to bypass the Data Execution Prevention (DEP) feature in Internet Explorer." Microsoft will "take appropriate action" once it's looked into the matter, the spokesman added.

Yesterday, the company gave its strongest hint yet that it will release a patch for the IE flaw before Feb. 9, the next regularly-scheduled Patch Tuesday.

"We want to let customers know that we will release this security update [emphasis in original] as soon as the appropriate amount of testing has been completed," said Jerry Bryant, a security program manager, in a Monday post to the Microsoft Security Response Center (MSRC) blog.

That would be a good idea, said Dai Zovi. "IE7 is just as vulnerable as IE6 on XP and Vista," he said when asked what users should take away from the confusing discussion about the newest zero-day. "And although IE8 on XP SP3 presents another layer of difficulty [to attackers], DEP can be bypassed with known public techniques." That leaves IE8 on Vista SP1 and later, and IE8 on Windows 7 , as the safest situations for IE users, Dai Zovi continued.

"But these mitigations, like DEP, are really weak," he said. "They're all or nothing. That's why the sandboxing of a browser like Chrome is a point that warrants being made again."

Two weeks ago, Dai Zovi argued that all browser makers should mimic Google's browser and its "sandboxing," the separation of application processes from other applications, the operating system and user data.

This IE vulnerability has gained more attention than most zero-day bugs because it has been linked to the attacks that broke into Google 's corporate network. McAfee was the first to reveal that the attacks against Google had been conducted using exploits of the IE vulnerability. Google has claimed that the attacks originated in China .

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags zero-day exploitsMicrosoftinternet explorer 7

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?