On Thursday, an unknown submitter posted the original exploit code, which takes advantage of a flaw in all versions of Microsoft’s Internet Explorer, to Wepawet, a malware analysis project run by the Computer Security Group at the University of California at Santa Barbara. The next day, the Metasploit project added a module to its framework to exploit the vulnerability.
The original exploit only worked on Internet Explorer 6 running on Windows XP, Metasploit’s researchers stated. The attack did not implement known methods for getting around security measures in IE 7 and IE 8, according to Dan Kaminsky, director of penetration testing for security firm IOActive.
“That doesn’t mean that it couldn’t work on other versions of Windows,” Kaminsky said. “The attackers just did not implement the methods to get around protections on other combinations of IE and Windows.”
Microsoft reassured customers that the company has seen very few attacks, but recommended that Windows XP users upgrade to the latest service pack and Internet Explorer 8.
“We are only seeing very limited number of targeted attacks against a small subset of corporations,” Microsoft stated in a blog post on Sunday. “The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time.”
Yet, independent researcher Dino Dai Zovi had modified the exploit code by Monday morning to compromise Windows XP and Vista systems using Internet Explorer 7, he said. He expected to succeed in exploiting the same vulnerability on Internet Explorer 8 and Windows XP systems, he added.
“The original exploit showed a moderate level of sophistication, somewhat more than the average heap-spray style browser exploit,” Dai Zovi said.
Some organizations took drastic measures in response to the discovery of the Internet Explorer flaw. The German’s government’s Federal Office for Information Security reportedly recommended that users install alternative browsers so as not to be vulnerable to attack.
Posted by: Robert Lemos