A few days ago a new vulnerability was discovered in Internet Explorer 7.0 that was being actively exploited using sites hosted within China.

 

Something to mention from the outset, this vulnerability is NOT patched in MS08-073 released by Microsoft yesterday.

 

The vulnerability is a remotely exploitable issue in Internet Explorer 7.0 in the XML parsing mechanism. Successful exploitation will result in the system being compromised in the context of the current user.

 

The issue occurs due to poor handling of a HTML ‘<span>’ element that is not followed by a closing ‘</span>’ element. These span elements would then reference an XML ID which would be used to bind XML data in the website to the HTML code. Should the XML that is referenced include an HTML element with a ‘src’ attribute, the value of the src attribute would be used to corrupt memory.  The exploit XML looks something like 

 

 

When the exploit is tested a crash is observed in the ‘TransferFromSrc()’ function of the dynamic library ‘mshtml.dll’. The exploit is a typical heap overflow, after setting up the heap by allocating 159 arrays containing the shell code, the exploit checks that the user is running Internet Explorer 7 on either Windows XP or Windows 2003. Once all the preconditions are met it uses the XML shown above to trigger the exploit.

 

The attack is being actively exploited, there are several reports from Chinese sources of the attack in action. A brief look at the shell code indicates that the exploit attempts to pull down a file from here

 

hxxp://www.b!i!!c.!n/d!!!/ko.exe

 

This hit our scanner earlier in the day and you can see the scan results here.

 

 

For the moment there no patch for the vulnerability, however various Anti-Virus vendors have implemented signatures to detect the exploit. Also several IDS vendors have implemented signatures for their products. However, to ensure that nothing gets triggered when your not protected, using an alternative browser such as Firefox or Google Chrome should help mitigate the risk.