Security Information Vulnerability Research Security Blog

Yet another 0day for IE

September 19th, 2006 by , Filed under: Botnets, Commentary, Microsoft, Virus, Web

sunbelt software released a warning on a new ie 0day they detected in-the-wild, to quote them:

“the exploit uses a bug in vml in internet explorer to overflow a buffer
and inject shellcode. it is currently on and off again at a number of
sites.
security researchers at microsoft have been informed. this story is
developing and research is ongoing. security professionals can contact
me for collaboration or further information. this exploit can be mitigated
by turning off javascripting.”

they also notified some closed and vetted security information sharing groups on the matter, with further details. you can find their blog entry here:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html

that’s that.

why do i call it a 0day? because it has indeed been used in-the-wild before it was publicly discovered. people are currently and for a while now, being exploited.

lately we call every exploit being released in full disclosure mode a 0day. that’s a 1-day or at least it has to be from now on, as there are just too many of those and there are more to come.

this trend started with websense detecting an ie 0day (not really ie – wmf) used in-the-wild by spyware, to infect users.
“responsible disclosure” is important, but when it takes so long to get a response or a fix with “irresponsible vendors”, and with so much money to be made by not disclosing vulnerabilities at all – it is becoming passe. new exploits don’t need to be gleamed from patches or feared in full disclosure. someone just pays for a 0day.. it’s their business and
they invest in it.

so:
1. lots more coming.
2. please call it a 1-day if it’s full disclosure mode, and 0day if it
has been seen in-the-wild.

the motivation has now moved from “let’s be responsible” or “let’s have fun” to “let’s make money” or “let’s stop waiting and be mocked by irresponsible vendors”. this is not about everybody, it’s about how things are.

even idefense and zdi can’t pay enough when compared with people who make money from what the 0day gives them – exploited users and a money making botnet.

gadi evron,
ge@beyondsecurity.com.

Share
  • http://explabs.com Roger

    hi sunshine,

    it’s mildy amusing that we already detected it with our generic webattacker sigs.

    good find by the sunbelt guys though.

    and judging by their load-list, it’s more proof that dollarrevenue and the adware vendors that pay commissions per install, regardless of how it gets installed, are becoming public enemy number 1.

  • sunshine

    Yep, this doesn’t work, though, on XP with SP2. DEP works even without NX, according to a friend.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    DEP doesn’t protect IE by default — you’d have to turn it on for all processes in order for it to work.

  • Share







  • Categories


Security RSS Subscribe