Hackers Attack Patched Internet Explorer Vulnerability
If you use Internet Explorer and haven't yet downloaded its latest patch, you may have left yourself open to a vulnerability that could infect your PC with malware.
Yesterday (July 11) was "Patch Tuesday," Microsoft's monthly cavalcade of security updates for all things Windows. This Tuesday included a patch of an Internet Explorer vulnerability, which allowed a potential malefactor to take advantage of used memory to execute harmful files, according to a recent Microsoft TechNet blog post.
The downside of Patch Tuesday, of course, is that when Microsoft discusses patched security flaws, it reveals a whole host of new tricks to hackers. Users who do not update right away risk falling prey to potentially devastating exploits that Microsoft has shared with the public.
The latest exploit utilizes an Adobe Flash SWF file (like the famous looping animation of the shuffling goose) to take advantage of Internet Explorer's memory allocation. The exploit is quite technical, but somebody apparently wants to get it out there, because Microsoft reports that it's been spotted out in the wild.
The exploit starts by targeting Internet Explorer's address space layout randomization (ASLR), which keeps a program's memory clusters randomized in order to protect them from rogue executable files. The program bypasses ASLR by a "use-after-free" memory flaw, which, as the name suggests, plants executable scripts in sections of memory that are supposed to be freed up after use.
After ASLR, the exploit compromises the Windows Data Execution Prevention (DEP). The DEP protocol prevents executable files from running from non-executable memory clusters; in other words, it ensures that Windows only runs programs that you OK.
Using a return-oriented process, which allows a program to run malicious code in spite of security defenses, the exploit can essentially reverse DEP defenses. This allows Windows to run executable files from what is usually a benign space. [See also: 8 Security Basics the Experts Want You to Know]
Although Microsoft did not say exactly where the exploit showed up on the Internet, the attack came through an image file called "pageerror.gif," which then downloaded an encrypted executable file. This file may then take up residence in the %TEMP% folder, going by "javae.exe." Running this program would install unspecified malware.
Preventing the exploit is easy: If you've installed the latest Internet Explorer patch, you're already done. If not, running Windows Update will take care of it. If you're one of the few unlucky souls who's contracted some dangerous software, a standard malware sweep should take care of it.
As always, stay on top of security updates, especially for programs you use every day. You never know when a slightly outdated exploit will be too good for a hacker to pass up.