Critical zero-day hole in Internet Explorer - Update 2
While analysing a compromised web page, security experts from FireEye discovered malware that exploits a previously unknown security hole in Internet Explorer. The hole allows attackers to inject malicious code into the Internet Explorer user's system when a specially crafted web page is visited. All versions up to and including IE version 8 are vulnerable; currently available information suggests that later versions are not affected.
The researchers from FireEye report that the attackers first used a Flash applet to deploy shell code in RAM by means of heap spraying, and that they then managed to execute the code via the zero-day hole in IE. The hole involves a use-after-free issue with
CDwnBindInfo within IE. The security hole the researchers found was exploited to inject a DLL into the system but they have yet to comment on the library's purpose.
Talking to security blogger Brian Krebs, Microsoft confirmed the vulnerability and said that only versions 6 to 8 of Internet Explorer are affected. Since that confirmation, a metaploit module has been published and US CERT has released a vulnerability note on the issue. With details of the problem in circulation, it will be very likely that attackers will have added or be adding the exploit into their arsenal of malware; users should look at moving to IE9 or later where they can.
Update (1/1/2013): Microsoft has now released a FixIt patch which it says will prevent the vulnerability from being used for code execution. The company notes that applying the FixIt does not require a reboot and that it is still working on a security fix for the issue.