IE7 needs more patching - MS09-002 exploits seen in the wild
by Steve Ragan - Feb 18 2009, 20:55Not a week after the vulnerability was patched by Microsoft, criminals have reverse engineered a patch that addresses uninitialized memory corruption and CSS memory corruption within Internet Explorer 7. The criminals are using what they've discovered about the flaws to target Internet Explorer users.
The patch, MS09-002, is only for Internet Explorer 7 - other versions of the Web browser are not vulnerable to this particular attack. While Microsoft stresses the vulnerable versions, and mentions that the method of exploitation is a malicious Web site, experts are warning people about other methods criminals can use.
“The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document,” wrote Bojan Zdrnja in a SANS ISC entry on the subject. “That being said; there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon).”
TrendMicro reported the issue on Tuesday, outlining the chain of attack it has witnessed, explaining that, so far, it starts with a malicious DOC file.
“This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML,” said TrendMicro.
The malicious Web site is really what exploits the flaws addressed in MS09-002. Once a user is directed to that site, without their consent, they are given a backdoor as the initial payload, which in turn downloads a malicious DLL file that captures information and sends it off to another waiting URL.
While the notion that criminals are smart enough to reverse engineer a patch and use the information to develop new exploits is hardly unexpected or new, this ability only exists because of the lack of patching.
The new exploits seen moving about online are serious and pose a threat, but they are rendered useless if you have already patched your system with February’s releases from Microsoft.
More information can be found at the TrendMicro blog.
Comment on this Story