Technology News

latest updates from easySERVICE™

Details of IE zero-day exploit published

IE

Now that the IE zero day which caused so much panic over the last several days has been patched, researchers are much more free to discuss details of the attack.

Cisco’s Snort IPS network shows that their customers began on April 24 with several phishing attacks.

The attack relies on getting a user to visit a web site with the malicious code and this was the purpose of the phishing emails. Cisco found these subject lines used in the attacks:

  • Welcome to Projectmates!
  • Refinance Report
  • What’s ahead for Senior Care M&A
  • UPDATED GALLERY for 2014 Calendar Submissions

These domains were used to host the malicious code:

  • profile.sweeneyphotos.com
  • web.neonbilisim.com
  • web.usamultimeters.com
  • inform.bedircati.com

The malicious JavaScript on the web page was relatively unobfuscated, according to the researchers. There was one function named oil(), which was not called within the JavaScript. This call was, in fact, initiated by ActionScript in the associated Flash SWF file. The main point of the ActionScript is to “spray the heap,” which means to perform a series of large allocations of memory objects and to fill them with particular values, generally “NOP” instructions. This is also where the shellcode is, which is the program that takes control after the program exploits the actual Internet Explorer vulnerability.

Once the heap is prepared, the SWF calls back into the web page at oil() with a special string as a parameter. oil() then invokes the exploit by calling eval() with the string passed from the SWF. This causes a crash which eventually executes the shell code.

There have been several Flash exploits with heap sprays recently. It may be that the attackers brought the Flash object into the picture because they had more trouble getting the exploit to work in IE.

Source: Associated Press

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Information

This entry was posted on May 5, 2014 by in Browser, Security and tagged , , , , .
%d bloggers like this: