Vulnerabilities / Threats
12/11/2008
04:19 PM
50%
50%

Zero-Day Bug Discovered In IE7

Vulnerability in the wild could allow attackers to control and steal data from remote PCs

An unpatched security vulnerability in Internet Explorer 7 is being actively exploited in the wild, and could allow attackers to control remote PCs and access personal information without the user's knowledge, security researchers say.

The vulnerability takes advantage of Internet Explorer's handling of specially crafted XML tags, which can leave the browser susceptible to a heap spray attack, according to researchers at ScanSafe. A successful exploit could result in the installation of a data theft Trojan with autorun worm capabilities, the company says.

Release of the exploit appears to be intentionally timed to fall after Patch Tuesday, when Microsoft typically issues patches for newly discovered vulnerabilities. The first exploits appeared just 48 hours after Microsoft made this month's patches available.

So far the zero-day "does not appear to be wildly used, but the code is publicly available," according to researchers at Qualys. Still, exploits that take advantage of IE7 -- which was supposed to have been Microsoft's "safer" browser -- are a concern, the researchers said.

"Zero-day exploits involving any widely used software are particularly concerning," says Mary Landesman, senior security researcher at ScanSafe. "When it impacts a browser as widely used as Internet Explorer, it can have serious implications. Predictably, attackers were very quick to add the IE7 exploit to their tool kit, and we anticipate these attacks will escalate over the coming weeks."

"The browser is the most popular vehicle for getting exploits on client machines with the ultimate goal of controlling the machine for monetary purposes," adds Wolfgang Kandek, CTO at Qualys. "It is more reliable for an attacker to exploit a server vulnerability -- where no human intervention is required -- but today, the Web browser is the 'killer application' that everybody uses and provides the biggest attack vector. Browsers are very complex and powerful programs and are very difficult to secure."

Two other zero-day vulnerabilities were discovered in the Microsoft environment this week. One impacts Microsoft SQL Server 2000 and is alleged to be remotely exploitable via SQL injection attacks. Unlike typical SQL injection attacks, which pose the greatest risk to site visitors, this particular attack would directly impact the server as well.

A third zero-day vulnerability has been reported in WordPad's text conversion feature. Microsoft has reported that there are "targeted attacks seeking to exploit this vulnerability" and released a patch for it on Tuesday.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.