New Internet Explorer Zero-Day Vulnerability Exploited in the Wild

Contributor: Lionel Payet

Eric Romang has released a blog about the Microsoft Internet Explorer Image Arrays Remote Code Execution Vulnerability, a possible zero-day vulnerability in Internet Explorer that is being exploited in the wild. Microsoft has confirmed this vulnerability affects Internet Explorer 9, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6 browsers.

The exploit is made up of four main components:

  1. The Exploit.html file is the starting point responsible for setting up the exploit. After setting up necessary conditions for the vulnerability it will invoke the Moh2010.swf file.
  2. The Moh2010.swf Flash file is responsible for spraying the heap with the payload that will be executed. After setting up the payload it will invoke the vulnerability trigger Protect.html file by opening it in an IFRAME window.
  3. The Protect.html file is the actual trigger of the vulnerability responsible for executing the malicious payload set up by the Moh2010.swf file.
  4. The payload will download additional malicious executables and run them on the compromised system.

Interestingly, this exploit was hosted on the same servers used in the Nitro attack.

As always, we recommend that you follow best security practices and ensure you have the most up-to-date software patches installed. Use the latest Symantec technologies and virus definitions for the best protection against threats.