Latest Post

IEPeers – A New Internet Explorer Zero Day Vulnerability

We posted an aside yesterday referencing Microsoft's recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of "limited targeted attacks" to being widely accessible and available as a new module for the Metasploit framework.

Featured Post

The “Aurora” IE Exploit Used Against Google in Action

The big news hit earlier this week, the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 30 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used in IE 6 according to Microsoft. Per Microsoft's Advisory 979352: "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers gained access to the corporate networks of Google, et al. using this zero day attack.

Asides

• A blog post on the MSRC web site warned of a new zero-day in Internet Explorer versions 6 and 7 running on Windows XP, Windows 2000, or Windows 2003. The post references Security Advisory (981374), and at this time there aren't many details about the vulnerability other than what MS has stated in the advisory. #
• Microsoft has published the advanced notification for an unscheduled patch update release to occur tomorrow, outside of the normal patch Tuesday cycle. The update is for an Internet Explorer vulnerability reported to be a vector for the Aurora exploit which was used to attack Google and several other companies. The last time Microsoft released an out of band patch was in July of 2009, when an update for Internet Explorer and a related Visual Studio update were released. #
• Microsoft announced in a blog post that the SMB bug which can crash Windows 7 and Server 2008 R2 will not be patched in January's patch Tuesday. We have shown how this bug can cause a severe halt to the OS, however, Microsoft stated that they "are not aware of any active attacks using the exploit code" and are still working on an update. #
• Have you met these types in the forensics forums, lurking in your blog comments, or anywhere else on the Intertubes: The Back-Door Man who knows that MSFT has stealth back doors in Windows, or the Man of Few Words with his pithy "One word: TrueCrypt" style comments? Happy as a Monkey breaks it all down for us. #
• What DNS Is Not by Paul Vixie details what DNS is by explaining what it is NOT. #