Microsoft issued an emergency fix Jan. 21 to patch the Internet Explorer vulnerability at the center of a spate of cyber-attacks against Google, Adobe Systems and dozens of other companies.
The update actually addresses a total of eight vulnerabilities in IE, the most serious of which can be exploited for remote code execution. The flaw at the center of the cyber-attack on Google is CVE-2010-0249.
According to new findings from Symantec, the fix comes as a new exploit targeting the vulnerability has begun to make the rounds on the Internet.
“The new exploit is being hosted on hundreds of Websites and Symantec detects the malicious HTML pages as Trojan.Malscript!html,” said Josh Talbot, security intelligence manager for Symantec Security Response. “The pages contain a shell code that bypasses a warning dialog shown after downloaded file gets executed. The page replaces the code of ‘MessageBeep API’ so that the Internet Explorer process which attempts to play a beep sound will be terminated.
“After the termination of the process, it causes the Internet Explorer window to be displayed again,” Talbot continued. “The shell code also contains code to avert API hooking when it calls APIs. By doing this, some security products may miss some monitored APIs.”
In the end, a malicious file is downloaded, Symantec reported.
Though Microsoft noted that some of its other applications use mshtml.dll as a rendering engine and could be used as an attack vector if they allow active scripting, the company said the IE update closes down all known attack vectors.
Six of the vulnerabilities are memory corruption flaws. The remaining two include a cross-site scripting filter-handling vulnerability and a URL validation vulnerability.
“According to the Microsoft Security Research & Defense team, this update also address the DEP bypass vulnerability made public yesterday, which exists in all current versions of Internet Explorer,” said Don Leatham, senior director of business development at Lumension. “If not bypassed, DEP can help in stopping the exploit code. Newer versions of Internet Explorer running on Windows Vista and Windows 7 are less vulnerable.
“These versions of Windows have Address Space Layout Randomization (ASLR) that provides an extra level of protection beyond DEP,” Leatham added. “This is a clear, real-world example of the superior security model implemented in Windows Vista and Windows 7, and should be a wake-up call to organizations still running Windows XP to accelerate their migration plans.”