On November 3rd, Microsoft gave a warning about a new unpatched vulnerability in all versions of Internet Explorer (IE) which is exploited to spread virus.
Since IE does not well process CSS tags, it’s likely to access a freed object causing memory corruption (use-after-free). This makes program’s pointer (EIP) work improperly, causing crash, and even allows remote code execution.
Exploit demonstration on XP SP3
Exploit code demo
Call 0x0D7DC9C9 ?
According to the above figure, the program will call 0x0d7dc9c9 . This is the address for heap memory, and normally, the program will crash since it has not initiated this memory before. However, the attacker employs heapspray technique to create a large heap (including the above address), with data previously prepared, which allows arbitrary code execution.
This attack vector will be blocked by Data Execution Prevention (DEP) which is turned on by default in IE 8 on all OS versions: Windows XP SP3 and later versions.
Microsoft is currently monitoring the threat to decide whether to issue an out-of-band patch or not. It’s likely that this vulnerability will be fixed in its monthly bulletin.
Until Microsoft issues the patch, users are recommended to take caution not to click links of unknown sources.
Le Manh Tung
Senior Security Researcher