Zero-Day IE Exploit Coming to a Browser Near You

Information regarding another zero-day vulnerability in the Internet Explorer web browser affecting version 6 and 7 has been published as Proof-of-Concept over the weekend. The vulnerability lies in a missing check when accessing a website’s Stylesheet markup information through the ”žgetElementsByTagName“ script method. The current PoC exploit uses heap-spraying to write the malicious shellcode to memory before triggering the vulnerability. While exploits for this new vulnerability may not yet be in-the-wild (beyond PoC state), you can be sure that the malware community will be working overtime to ensure reliability and maximum effect. The underground community rapidly turn these proof of concepts into working exploits to add to their Web exploit toolkits, differentiating their product from the competition – especially when there is no patch available from Microsoft to mitigate the risk.

Web Exploits continue to be the preferred attack mechanism of choice, with many organisations challenged by managing the number of patches for the browser and associated plug-ins, making it an effective attack vector for the malware authors. We have seen increasingly complex JavaScript mechanisms to attempt to evade detection – please ensure you have appropriate protection against this contemporary attack vector.

Recommendations to disable scripting in your browser may help to protect from this new threat, but simply is not realistic in the Web 2.0 world in which we now browse in. McAfee protects its customers against the current PoC exploit, blocking it proactively as “JS/Exploit-BO.gen” in VirusScan and as “BehavesLike.JS.Suspicious.A” at the Web Gateway with McAfee Gateway-Anti-Malware.