A day after December’s Patch Tuesday release Dec. 9, Microsoft found itself investigating reports of a zero-day bug affecting Internet Explorer 7 as well as attacks against an unpatched flaw in the WordPad Text Converter.
According to Vupen Security, exploit code for the IE flaw takes advantage of an issue with the parsing of malformed X M L content. However researchers at Symantec said the problem affects both the X M L parsing engine of IE 7 and the library MSHTML.DLL.
“The vulnerability depends on how certain elements of HTML pages are terminated and therefore could potentially affect not only X M L, but also other objects handled by the browser,” Elia Florio, a security researcher at Symantec, wrote in a blog post. “This means that attackers may start using different attack vectors in the future to exploit this vulnerability, but at the moment it seems that this recent exploit, which has been publicly released on several Chinese forums, only uses the X M L elements and tags.”
What should Obama do about cyber-crime? Click here to read more.
The vulnerability, Florio continued, is caused by a function that incorrectly frees a certain region of heap memory that allows an attacker to control the EAX register with a specially crafted Unicode URL that includes the “0x0A0A” value in it.
“Because of the nature of this attack, it does not depend by any specific ActiveX control, so this time we can’t tell you to disable or set the KillBit for a specific CLSID,” Florio wrote. “However, the attack still requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for untrusted Web sites could help to somewhat mitigate the risk.”
Attackers also have their sights set on a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP SP2, and Windows Server 2003 SP1 and SP2. According to Microsoft’s advisory, Windows XP SP3, Windows Vista and Windows Server 2008 are not affected because those operating systems do not contain the vulnerable code.
“At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability,” the advisory stated. “For an attack to be successful, a user must open an attachment that is sent in an e-mail message.”
The advisory also said, “When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad. This file type can be blocked at the Internet perimeter.”
Microsoft did not offer specifics on when patches or updates to address the issues would be available.