Malware City/Blog/

Mar
11
Filed Under:
ALERTS

New Critical IE Vulnerability Spotted in the Wild

11 March 2010
BitDefender® today has released an emergency update to shield users against the newly-discovered vulnerability in Internet Explorer® versions 6 and 7. Microsoft® has detailed the attack scenarios in security advisor #981374, announcing that a patch is being made in order to mitigate the vulnerability.

Users running Internet Explorer versions 6 and 7 can get infected by simply visiting a specially crafted web page that uses highly obfuscated JavaScript code to create a use-after-free error, such as a pointer being accessed after the deletion of an object.

Anatomy of the attack

Initially, the user is lured into visiting a specially crafted web link advertised either via spam messages or as posted on bulletin boards, social networks etc. The respective webpage contains JavaScript code obfuscated using the escape function. In order to bypass detection from various antivirus products, the script calls a secondary JavaScript that replaces a variable with the unescape string.

 

Vulnerabilities in Internet Explorer 6 and 7

 

The decrypted result is actually the malicious payload which will trigger a heap spray attack and will write the malicious code into the browser's User Data area, making it persistent: every time the browser starts, the malicious code is executed without any subsequent intervention (drive-by download), which will result in the automatic download of a file called either notes.exe or svohost.exe (detected by BitDefender as Gen:Trojan.Heur.PT.cqW@aeUw@pbb).

This approach is similar to the one described in CVE-2010-0249 that has been used in targeted attacks against 34 major corporations including GoogleTM and AdobeTM.

Vulnerabilities in Internet Explorer 6 and 7

Mitigating the risks

 Microsoft announced that the exploit is already in the wild and that users will be provided with a fix as soon as possible. Most likely, the vendor will issue a patch on the next "patch Tuesday", namely on April 13. Since Internet Explorer® 8 is not vulnerable to the attack, the next logical step would be to upgrade immediately. However, many custom-made applications in the corporate environment are strongly interconnected with IE 6 or IE 7 and might not work as expected on Internet Explorer 8.

BitDefender is currently detecting the exploit and blocking the malicious code before inflicting any damage to the computer. Moreover, all BitDefender customers have been proactively protected against the infected binaries the exploit is trying to install on the local machine.

In order to stay safe, BitDefender recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.





By Loredana Botezatu
Loredana sees in BitDefender a new challenge and a fresh approach to her professional development. Her enthusiasm, curiosity and, of course, lots of research, are some of the features that make her a competitive player in the security industry.

Related

08-03-2010 | Cracked Silent Hunter 5 – Battle of the Malware

05-03-2010 | World of Warcraft Accounts at Risk From Trojaned Wowmatrix

02-03-2010 | Malware Alert: Win32.Worm.Mabezat.J is Hiring!

01-03-2010 | Malware downloads on the podium in Vancouver 2010 queries

Comments:

francis said on Mar-21-2010 01:37

In my xp sp3 ie6, an IE plugin has been added named ytyjjut. I used several means to remove it , but unable to succeed. Its in the system 32 file named ytyjjut.dll
pls help me to remove it.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.