IE7 exploit in the wild

Within the February 2009 Microsoft Security Bulletins we posted about last week [1], was a vulnerability relevant to Internet Explorer 7 (MS09-002). Yesterday you may have seen that the vulnerability assessment page for this one [2] was updated to reflect the fact that we have seen this vulnerability exploited in the wild.

The web page in question contains a malicious script that attempts to exploit MS09-002.

Fortunately, this malicious script is proactively detected as Mal/JSShell-B, as can be seen from the alert generated at the endpoint:

And the in-browser notification that is added:

(For users behind the Sophos web appliance the end result would have been the same – malicious content blocked, and a similar warning message displayed to the user in their browser.)

Curious to see how well our buffer overflow protection (BOPs) would fare against this threat, I intentionally disabled the Mal/JSShell-B detection and attempted to browse the malicious page. The threat was still blocked, BOPs once again illustrating its effectiveness.

What about the payload of the exploit? It attempts to install a Trojan from the same site. This is also proactively detected, as Mal/Behav-116. If executed the Trojan attempts to install a malicious DLL into the system folder (winnet.dll). The runtime protection (HIPs) provided by Sophos blocks the Trojan – it triggers a HIPS/ProcMod-005 alert. Additionally, detection for the DLL was added as Mal/SpyAgent-C yesterday.

Though Sophos users were proactively protected from this specific attack, users should not be complacent. Patch relevant systems as soon as possible [3]. Users not using either HIPs or BOPs protection should also set about enabling these additional layers of protection that have proven themselves time and time again against new attacks [for example 4,5].