February 15, 2014 at 15:21New IE 0day vulnerability used for drive-by
A few days ago, FireEye announced that the new 0day use-after-free vulnerability CVE-2014-0322 in Internet Explorer 10 is being exploited by attackers to deliver malicious code (drive-by). It is stated that the US Veterans of Foreign Wars (vfw [.] Org) website was compromised by a malicious IFrame and was used to redirect users to another malicious web page that exploited the vulnerability using a Flash file (.swf).
The exploit uses ActionScript heap-spray to bypass ASLR and ROP on the gadgets of well-known libraries from DEP, and is also able to check the presence of EMETin system. If the EMET library - EMET.DLL is detected, the exploit terminates. To access the browser process memory, the malicious SWF uses the Flash Vector object corruption (IE10 use-after-free vuln) method. After all operations, the exploit downloads the payload from a remote server, decrypts it, and launches it for execution. ESET antivirus products detect this exploit as Win32 / Exploit.CVE-2014-0332.A , and the payload as Win32 / Agent.QEP .
IE10 comes by default with Windows 7 SP1. One of the key innovations was the use of sandboxing technology in it, known as EPM - Enhanced Protected Mode / Advanced Protected Mode, which we wrote about in detail here and here. Microsoft does not use this browser mode by default, so when working with IE10 + do not forget to enable this option, it greatly enhances the immunity of the browser to exploits. Unfortunately, fully EPM is implemented in IE10 only on Windows 8 and partially on Windows 7 x64.
Other browser versions, including the latest IE11, which comes with Windows 8.1 by default and is also available for Windows 7, are not vulnerable. You can also disable the Flash plugin for IE10, which will protect against such vulnerabilities.
Fig. Protected IE10 + mode on Windows 7+ x64.
The exploit uses ActionScript heap-spray to bypass ASLR and ROP on the gadgets of well-known libraries from DEP, and is also able to check the presence of EMETin system. If the EMET library - EMET.DLL is detected, the exploit terminates. To access the browser process memory, the malicious SWF uses the Flash Vector object corruption (IE10 use-after-free vuln) method. After all operations, the exploit downloads the payload from a remote server, decrypts it, and launches it for execution. ESET antivirus products detect this exploit as Win32 / Exploit.CVE-2014-0332.A , and the payload as Win32 / Agent.QEP .
IE10 comes by default with Windows 7 SP1. One of the key innovations was the use of sandboxing technology in it, known as EPM - Enhanced Protected Mode / Advanced Protected Mode, which we wrote about in detail here and here. Microsoft does not use this browser mode by default, so when working with IE10 + do not forget to enable this option, it greatly enhances the immunity of the browser to exploits. Unfortunately, fully EPM is implemented in IE10 only on Windows 8 and partially on Windows 7 x64.
Other browser versions, including the latest IE11, which comes with Windows 8.1 by default and is also available for Windows 7, are not vulnerable. You can also disable the Flash plugin for IE10, which will protect against such vulnerabilities.
Fig. Protected IE10 + mode on Windows 7+ x64.