New Internet Explorer vulnerability used to deliver "Poison Ivy" trojan

Users of Microsoft's last three Internet Explorer web browsers should be aware of a new security issue that is already being used by hackers to distribute a back door malware threat. The issue was first found by security researcher Eric Romang.

In a blog post this weekend, Romang states that this "zero day" exploit uses Flash Player that can bypass the ASLR (Address Space Layout Randomization) security in Windows. The exploit then delivers the "Poison Ivy" malware on a PC. This new security hole, which was later confirmed by Rapid7.com, affects IE7, IE8, and IE9 on Windows XP, Vista and 7.

News.com got a comment from Microsoft, which states:

We're aware of targeted attacks potentially affecting some versions of Internet Explorer.... We have confirmed that Internet Explorer 10 is not affected by this issue. We recommend customers deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 3.0, which provides effective protections without affecting the Web browsing experience. We will continue to investigate this issue and take further actions as appropriate.

Microsoft has been patching security holes in Internet Explorer 9 recently, including one that was plugged in the August "Patch Tuesday" batch. There's no word when Microsoft will release a patch for this latest IE problem.

Source: News.com | Image via Microsoft

Report a problem with article
Previous Story

Outlook 2013 support for tablets and smartphones explained

Next Story

Microsoft to launch new Citizenship Initiative effort Thursday

40 Comments

Commenting is disabled on this article.

I see carefully worded statements from all concerned. Noone wants to say if IE's protected mode deals with this or not.

Given the conditions that the malware dropper uses, I'm thinking it is mitigated after all.

Another nail in the coffin for the nonstandard browser! I think Gecko and WebKit browsers the best, at least they ignore errors in code and try to display in standards mode even with the errors. With IE I've got to constantly use hacky fixes that often make things worse!

Exploits do happen, and often for good results (jailbreaking iPhone and PSP), but IE always has holes. Patch a patch, to break a previous patch, to then rip the patched quilt to shreds in temper!!

So much for all the claims that IE is the most secure browser then lol. Nothing has changed. It's still a primary malware vector for Windows operating systems. Drive-by malware is alive and kicking in the IE web browser , in fact it never left.

Oh, and popularity isn't an excuse now because Chrome officially has the greater marketshare. So what's the excuse this time for IE's poor security?

simplezz said,
Drive-by malware is alive and kicking in the IE web browser , in fact it never left.

Not that I'm a fan of IE either (just due to preference), but there isn't a browser out there that hasn't been the victim of exploits. IE's no better or worse than the others, they all have had problems. Just look at this year's Pwn2Own, Secunia, whatever. (And guess what, Chrome got nailed a few times too.) A 100% secure browser doesn't exist, never mind this exploit relies on a bug in Flash.

Good to see you reading the article

The exploit cannot work without Java or Flash. If you don't have either of those then you aren't getting exploited because ASLR will protect you.

-Razorfold said,
Good to see you reading the article

The exploit cannot work without Java or Flash. If you don't have either of those then you aren't getting exploited because ASLR will protect you.

I did read the article. And most users do have Flash and Java installed, therefore it's drive-by malware affecting the great majority of IE users.

Max Norris said,

Not that I'm a fan of IE either (just due to preference), but there isn't a browser out there that hasn't been the victim of exploits. IE's no better or worse than the others, they all have had problems. Just look at this year's Pwn2Own, Secunia, whatever. (And guess what, Chrome got nailed a few times too.) A 100% secure browser doesn't exist, never mind this exploit relies on a bug in Flash.

This is a zero day exploit actively being used by malware writers, not some proof of concept a la Pwn2Own.

I've used Chrome and Firefox for years and have never been infected with drive-by malware, the same can't be said for IE, which has infected my and many others' Windows PC's. Exploits and vulnerabilities are one thing, but actively infecting machines using them is quite another, and IE is the sole vector here.

simplezz said,
This is a zero day exploit actively being used by malware writers, not some proof of concept a la Pwn2Own.

I also said to look up Secunia and whatnot too. (And just because it was shown in a competition means it doesn't matter? Seriously?) What makes this IE/Flash exploit different from say a Java/Chrome exploit? (Which has happened.) Just because it's Microsoft, AKA the usual Flawed view on things?

simplezz said,
I've used Chrome and Firefox for years and have never been infected with drive-by malware, the same can't be said for IE, which has infected my and many others' Windows PC's.

Perhaps you should lock down your browser a bit more then? I'm not a fan of IE either, but I know plenty of users who take a few moments to lock their browser down and use safe browsing habits and have never encountered an exploit. Well aside from those who haven't updated their software in the last 10 years or so anyway.

Max Norris said,

I also said to look up Secunia and whatnot too. (And just because it was shown in a competition means it doesn't matter? Seriously?) What makes this IE/Flash exploit different from say a Java/Chrome exploit? (Which has happened.) Just because it's Microsoft, AKA the usual Flawed view on things?


Perhaps you should lock down your browser a bit more then? I'm not a fan of IE either, but I know plenty of users who take a few moments to lock their browser down and use safe browsing habits and have never encountered an exploit. Well aside from those who haven't updated their software in the last 10 years or so anyway.

Don't bother, this guy doesn't know what he is talking about. He is knowledge enough to know he wants to switch browsers, which I applaud, but clearly doesn't understand IE or computer infections in general very well. Anyone who makes comments like "Drive-by malware is alive and kicking in the IE web browser , in fact it never left." or "I've used Chrome and Firefox for years and have never been infected with drive-by malware, the same can't be said for IE" clearly is more interested in promoting the disuse of IE than actually discussing facts.

Was worrying for a second...but then I remembered I don't use IE except to test the occasional web design I'm working on localhost.

technikal said,
Was worrying for a second...but then I remembered I don't use IE except to test the occasional web design I'm working on localhost.

Wasn't worried even for a second here and I use IE 9 very frequently. This is basically nothing new as far as a flaw being discovered. Happens in every browser and ESPECAILLY Chrome and Firefox. Why do you think such a new browser as Chrome is up to version, what, 22? That thing is flawed just because of who makes it, IMO.

cork1958 said,

Wasn't worried even for a second here and I use IE 9 very frequently. This is basically nothing new as far as a flaw being discovered. Happens in every browser and ESPECAILLY Chrome and Firefox. Why do you think such a new browser as Chrome is up to version, what, 22? That thing is flawed just because of who makes it, IMO.

Really? Version numbers are how you judge flaws in software? So IE should be up to something like version 986.77.058 or so.

Companies have different version numbering schemes, get over it.

KomaWeiß said,
I thought IE was suppose to be safe? LULZ

Compared to what?

Chrome, yes, Firefox, yes, Opera, yes...

Go see if they have had any Flash or Java related exploits in the past couple of years? Back yet?

Ok, good, so you can see that they all did, and MORE than IE9.

Done now?

thenetavenger said,

Compared to what?

Chrome, yes, Firefox, yes, Opera, yes...

Can you get drive-by malware with Firefox, Chrome, or Opera? No. Can you with IE? Yes, in fact, throughout its existence that's been the case.

thenetavenger said,

Go see if they have had any Flash or Java related exploits in the past couple of years? Back yet?

Exploits != active malware infections. I've never been infected with Drive-by malware in Firefox, Chrome, or Opera. I have however in IE. On a number of occasions actually.

thenetavenger said,

Ok, good, so you can see that they all did, and MORE than IE9.
Done now?

No. You've proved exactly nothing. IE is still the only browser with drive-by infecting malware.

simplezz said,

Can you get drive-by malware with Firefox, Chrome, or Opera? No. Can you with IE? Yes, in fact, throughout its existence that's been the case.

Exploits != active malware infections. I've never been infected with Drive-by malware in Firefox, Chrome, or Opera. I have however in IE. On a number of occasions actually.

No. You've proved exactly nothing. IE is still the only browser with drive-by infecting malware.

The term "drive-by malware" typically refers to the issue of users installing unwanted ActiveX controls. This never happened without the user's accepting a prompt, but for a long time the prompt was confusing and most users pressed 'Yes' without understanding it. That issue was fixed with XP SP2 (the update to IE 6.0 that probably should have been called 7.0). It is now hard enough to install ActiveX or run code from IE that if it happens it is the user's fault, not the browser's.

Have there been security flaws with IE? Yes, many. Have other browsers had flaws? Yes, many. Does a systematic problem existing throughout IE's history that has allowed for malware to be installed without user acknowledgment? No, Never.

Exploits != active malware infections. I've never been infected with Drive-by malware in Firefox, Chrome, or Opera. I have however in IE. On a number of occasions actually.

I love this quote, proves that you are lying and/or an idiot.

I am not trying to say IE is better that other browsers, or even as good, its not. All I am doing is calling foul on your fud.

Hello,

There are certainly vulnerabilities which have been exploited in both the Firefox and Opera web browsers to deliver malware. There are web exploit toolkits that contain plugins for them. I'm unsure about Chrome, as the last time I looked at such a toolkit Chrome had negligible marketshare, but it wouldn't surprise me if there were some being exploited, although with Chrome's frequent updates I think that would be a low value vector for an attacker.

Regards,

Aryeh Goretsky

simplezz said,

Can you get drive-by malware with Firefox, Chrome, or Opera? No. Can you with IE? Yes, in fact, throughout its existence that's been the case.

Exploits != active malware infections. I've never been infected with Drive-by malware in Firefox, Chrome, or Opera. I have however in IE. On a number of occasions actually.

No. You've proved exactly nothing. IE is still the only browser with drive-by infecting malware.

Article said,
Romang states that this "zero day" exploit uses Flash Player that can bypass the ASLR (Address Space Layout Randomization) security in Windows.

So which one is responsible? From this word, it seems that Flash Player is responsible for the vulnerability, not Windows. No?

FarCry3r said,

So which one is responsible? From this word, it seems that Flash Player is responsible for the vulnerability, not Windows. No?

It could be both.

FarCry3r said,

So which one is responsible? From this word, it seems that Flash Player is responsible for the vulnerability, not Windows. No?

I haven't studied this flaw, but it sounds like a double flaw. The primary flaw is with Flash, however, IE is not properly issolating the Flash plug-in, which allows the flaw to do more than just crash the current browsing tab, which is what should happen.

HAckEur said,
when I read this, it makes me love my Sandboxie even more (aka the internet condom)

I wear 3 pairs for extra protection Forefront TMG 2010 NIPS,Endpoint Security % restrictive group policy

TPreston said,

I wear 3 pairs for extra protection Forefront TMG 2010 NIPS,Endpoint Security % restrictive group policy

from Jean-Marie Bigard: "The Swiss wear 3 pairs of condoms to make sure the middle one stays clean..."

On a somewhat related note, EMET truly is a great piece of software. Use it on every browser!

Edited by Charisma, Sep 18 2012, 1:44am :

Enron said,
Microsoft has already issued a fix, Windows 8.

No mention if IE10 is affected probably more because it's not been tested/isn't released legally, not that it isn't affected

n_K said,

No mention if IE10 is affected probably more because it's not been tested/isn't released legally, not that it isn't affected
Actually it is mentioned that IE 10 is not affected by this. It's in the quote from Microsoft.

n_K said,

No mention if IE10 is affected probably more because it's not been tested/isn't released legally, not that it isn't affected

What on earth are you talking about. Windows 8 RTM has been released LEGALLY to many technet subscribers. I personally got my copy from dreamspark premium...