Microsoft has issued an advisory for an unpatched vulnerability affecting all versions of Internet Explorer on all platforms. The vulnerability could allow a malicious Web page to trigger a denial of service or remote code execution in the context of the IE user. Exploit code for the vulnerability has been published, but there are no reports yet of active exploits in the wild.
The vulnerability is of a type known as “use-after-free” and is in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. Multiple @import calls in the attack document trigger the vulnerability. It was first reported by wooyun.org.
The exploit bypasses Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by taking advantage of a library it loads (mscorie.dll). This was not compiled with the /DYNAMICBASE option that enables ASLR and therefore loads predictably at the same address. Microsoft doesn’t say why this, and apparently other libraries, weren’t compiled with this option, but suggests that you use its Enhanced Mitigation Experience Toolkit to force all loaded DLLs to dynamically rebase. This change should make the exploits highly unlikely to succeed. A video on the Microsoft Web site demonstrates the process.
Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com
Microsoft also stresses that protected mode in Internet Explorer 7 and 8 on Windows Vista, Windows 7, and Windows Server 2008 mitigate the vulnerability by limiting the privileges of attack code that succeeds in exploiting the vulnerability.