Microsoft is facing a Zero Day with Internet Explorer and while they work to patch the issue, they developed a workaround. The problem is there is a workaround around the workaround.
Security researchers at Exodus Intelligence developed a bypass for the Fix It Microsoft released as a temporary mitigation.
Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.
IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792), but are currently facing exploits. Microsoft said the impact of the attacks seems limited; IE 9 and 10 are not vulnerable, Microsoft said.
Brandon Edwards, vice president of Intelligence at Exodus, said his firm’s researchers looked at the Fix It to determine how much of the vulnerability it prevented.
“Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Edwards said. “The Fix It did not prevent all those paths.”
The Fix It, according to Microsoft, is an appcompat shim that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.
“It comes down to clearly understanding the root cause and ways the browser can get to the affected code,” Edwards said. “The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.”
In the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong remain infected and serving malware, for weeks in some cases, that exploits the IE Zero Day.
Microsoft is aware of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.
Earlier this week, Exodus developed what it called a more advanced exploit of the IE vulnerability, which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it.
Peter Vreugdenhil said they were able to take advantage of IE8’s support for HTML+TIME, which the company no longer supports in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.