New IE 0day vulnerability used for drive-by
A few days ago, FireEye reported that a new 0day use-after-free vulnerability CVE-2014-0322 in Internet Explorer 10 is being exploited by hackers to deliver a malicious code (drive-by). It states that the US Veterans of Foreign Wars website (vfw [.] Org) was compromised by the malicious IFrame and was used to redirect users to another malicious web page that exploited the Flash file (.swf).
The exploit uses ActionScript heap-spray to bypass ASLR and ROP on the gadgets of well-known libraries from DEP, and is also able to verify the presence of EMET in the system. In case of detection of the library EMET - EMET.DLL, the exploit completes its work. To gain access to the memory of the browser process, malicious SWF uses the Flash Vector object corruption method (IE10 use-after-free vuln). After all the operations, the exploit loads the payload from the remote server, decrypts it and launches it for execution. ESET antivirus products detect this exploit as Win32 / Exploit.CVE-2014-0332.A , and payload as Win32 / Agent.QEP .
')
IE10 comes by default with Windows 7 SP1. One of the key innovations was the use of sandboxing technology in it, known as EPM - Enhanced Protected Mode / Extended Protected Mode, which we wrote about in detail here and here . Microsoft does not use this default browser mode, so when working with IE10 + do not forget to enable this option, it greatly enhances the browser's immunity to exploits. Unfortunately, EPM is fully implemented in IE10 only on Windows 8 and partially on Windows 7 x64.
Other browser versions, including the newest IE11, which comes with Windows 8.1 by default and is also available for Windows 7, are not vulnerable. You can also disable Flash plugin for IE10, which will protect against such vulnerabilities.
Fig. IE10 + protected mode on Windows 7+ x64.
The exploit uses ActionScript heap-spray to bypass ASLR and ROP on the gadgets of well-known libraries from DEP, and is also able to verify the presence of EMET in the system. In case of detection of the library EMET - EMET.DLL, the exploit completes its work. To gain access to the memory of the browser process, malicious SWF uses the Flash Vector object corruption method (IE10 use-after-free vuln). After all the operations, the exploit loads the payload from the remote server, decrypts it and launches it for execution. ESET antivirus products detect this exploit as Win32 / Exploit.CVE-2014-0332.A , and payload as Win32 / Agent.QEP .
')
IE10 comes by default with Windows 7 SP1. One of the key innovations was the use of sandboxing technology in it, known as EPM - Enhanced Protected Mode / Extended Protected Mode, which we wrote about in detail here and here . Microsoft does not use this default browser mode, so when working with IE10 + do not forget to enable this option, it greatly enhances the browser's immunity to exploits. Unfortunately, EPM is fully implemented in IE10 only on Windows 8 and partially on Windows 7 x64.
Other browser versions, including the newest IE11, which comes with Windows 8.1 by default and is also available for Windows 7, are not vulnerable. You can also disable Flash plugin for IE10, which will protect against such vulnerabilities.
Fig. IE10 + protected mode on Windows 7+ x64.
Source: https://habr.com/ru/post/212619/
All Articles