Saltar al contenido

0-Day in Internet Explorer 7, 8 and 9 (you could get infected when visiting a malicious page)

parche para ie en windows update

Perhaps many do not attract attention because they are used to this type of news, but it is a serious problem. A new 0-day has been detected in Internet ExplorerThis means that a hitherto unknown vulnerability was being exploited by attackers to infect.

The problem affects versions 7, 8 and 9 of the browser and will allow you to take control of a computer simply by visiting a manipulated page. At the moment there are no Microsoft announcements or patches to solve the problem, so it is recommended to use an alternative browser. It is the simplest solution.

Update: Microsoft released a security advisory confirming the problem (English / Spanish version). Internet Explorer version 10 is not vulnerable. Some recommended actions to mitigate the impact are mentioned in the bulletin, but I repeat the simplest is to navigate with another browser.

Update 2: Microsoft released a Fix it that temporarily fixes the problem for you automatically. It is important to note that it is not the final patch, when it is ready you must apply the Fix it Disable and then download and install the final patch to fix the vulnerability permanently.

Update 3: final patch released

A few hours ago Microsoft released the final patch that fixes the bug in IE, you can download it from Windows Update (KB2744842) or manually from here. If you previously applied the Fix it, remember to deactivate it as discussed in the update 2 of the post.

The vulnerability was discovered by researcher Eric Romang (@eromang) while monitoring servers where the Java 0-day was, which was discussed so much a few weeks ago. That's right, these attackers were using two zero-day vulnerabilities to do their thing.

Romang worked over the weekend with @binjo and the Metasploit team, today they have published an exploit that allows the attack to be carried out under the framework:

As you can see in the previous screenshot, at the moment it works in IE 7, 8 and 9 with Windows XP, Vista and Seven. As I mentioned before, just access a page that contains the exploit for the computer to become automatically infected.

You can see a demo below, this video was just published by @eromang a couple of hours ago on his blog. I know that it can be mixed, but basically what it does is load the exploit on a page and when the victim visits it (in this case under XP) their computer becomes infected as if nothing, on the end you can see that with a couple of Commands get the data from the infected system on your terminal:

What to do to avoid problems?

An antivirus can help block the attack, but ideally as long as an update for Internet Explorer is not released it would be to surf the net with another browser like Firefox, Chrome or Opera.

More information:

– 0day in Internet Explorer (inteco.es) – Exploit details (metasploit.com)

Go @daboblog and @holesec