Qualys Blog

www.qualys.com
wkandek

More Info on the IE 0-day

Hi, my name is Richie Lai and I am the Director of Vulnerability Research here at Qualys. Some of you might have seen me with Wolfgang during our monthly patch Tuesday webcasts. We have been tracking some developments surrounding a 0-day in Internet explorer and I just wanted to give everyone information we’ve gathered.

Today Microsoft released an advisory for Internet Explorer versions 6 above and on all platforms up to Win7. The current exploit that is in the wild results in code execution only on Internet Explorer 6 on XP. The vulnerability exists in IE DOM parsing resulting in a dangling pointer potentially exploitable for remote code execution. Even though the advisory lists all platforms as affected, there are a few mitigating factors.

First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system. While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running. Which is where the second mitigating factor comes in, Address Space Layout Randomization (ASLR). On platforms where both DEP and ASLR are enabled, exploitation is extremely difficult. In the mean time, we suggest Windows XP users run Microsoft’s "Fix-It" from the advisory which will enable DEP for IE 6 or 7 on XP. Table outlining the current exploitability across all platforms and IE versions listed below. As you can see, having the most updated browser will significantly reduce your exposure to this vulnerability at this time. We will update you as we get more information regarding this development.

Windows
2000

Windows
XP

Windows
2003

Windows
Vista

Windows
2008

Windows
7

IE 6

Exploitable

Exploitable

DEP protected

N/A

N/A

N/A

IE 7

N/A

Exploitable

DEP protected

Protected by Protected Mode

N/A

N/A

IE 8

N/A

DEP protected with XPSP3

DEP protected

DEP and ASLR Protected

DEP and ASLR Protected

DEP and ASLR Protected

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

Leave a Reply