A french IT security firm is warning of a previously unknown (“zero day”) vulnerability that affects most versions of Microsoft’s Internet Explorer Web browser. The hole, if exploited, could allow remote attackers to circumvent defensive features in fully patched WIndows 7 and Windows Vista and run malicious code on vulnerable systems.
The warning was first issued by Vupen Security on December 9. The company, based in Montpellier, France, said it had discovered a “use-after-free” error in the mshtml.dll library – IE’s HTML rendering engine – that could allow attackers to take complete control of a vulnerable system.
Use-after-free errors happen when a program continues using a pointer to an area of computer memory after that memory has been freed. In cases, the freed memory can be re-allocated and used to launch attacks, such as buffer overflows, that can result in malicious code being run on a vulnerable system, according to OWASP.
In this case, the flaw could be exploited when IE loaded specially formated Cascading Style Sheets (CSS) files that included @import rules, which allow Web sites to incorporate style sheets from external sites.
According to a blog post from Offensive Security, exploits for the vulnerability can be used to run malicious code on most supported versions of Windows and Internet Explorer, including Microsoft’s latest release: Internet Explorer 8 running on fully patched versions of Windows 7. The exploit, when combined with other attack techniques, allows attackers to bypass two Windows security features, Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR), that are specifically designed to thwart malicious code. A sample exploit targeted at the vulnerability was added to the Metasploit framework on December 20.