Latest Internet Explorer Zero Day Exploited In The Wild

February 14, 2014

Dell Sonicwall Threats Research Team has spotted latest Zero Day that exploits Vulnerability CVE-2014-0322.
This exploit targets Internet Explorer 10 which contains a specially crafted JavaScript that causes Use-After-Free condition.
The exploit was getting served from an infected website which since has taken down the malicious HTML.

Following shows the structure of the exploit.

Here an ActiveXObject is getting instantiated.

We can see the code for Memory Corruption.

Here function puIHa3 has a check for presence of a DLL followed by reference to swf file.
Also, we can see the exploit specifically checks for the presence of IE 10.

The swf file has function ExternalInterface which is invoking puIHa3 in the JavaScript above.

Swf is also responsible for further allocating bytes to carry out successful exploitation.

We have implemented following signatures to detect the attack.

IPS: 6315 HTTP Client Shellcode Exploit 11a
IPS: 7454 HTTP Client Shellcode Exploit 35a
GAV: CVE-2014-0322#swf (Exploit)
GAV: CVE-2014-0322#html (Exploit)