MS IE Aurora Memory Corruption

January 15, 2010

A 0day memory corruption vulnerability, codenamed Aurora, in the Internet Explorer browser has been disclosed. Most versions of the product are affected by the flaw. The vulnerability can be leveraged by accessing a freed or deleted DOM object through scripting. This action manifests itself internally as an invalid memory pointer reference which can in turn be manipulated to divert process flow of the browser. Exploitation resulting in code execution has been proven to be rather consistent and stable across all vulnerable versions of the affected product except for version 7 and 8 providing that DEP has been enabled.

The vulnerability is reported to have been exploited in targeted attacks. Exploitation requires the attacker to entice the target user to follow an HTTP link to the site hosting malicious code. The target browser has to have scripting enabled to be vulnerable.

Due to the nature of the bug and the virtually limitless ways of hiding or otherwise obfuscating malicious code exploiting the flaw, it is not feasible to develop an IPS signature that would encompass all attack cases. However, SonicWALL already has numerous existing IPS signatures that detect and block popular shell code used in HTML attacks which may be blocking attacks targeting this flaw. SonicWALL has released an additional IPS signature addressing the publicly released exploit and its variations. The following signature has been released:

  • 4711 - Javascript ASCII Table Lookup Attempt

The vendor has released a security advisory addressing this issue. Mitre has assigned the vulnerability the id CVE-2010-0249. A working public exploit has also been released by the metasploit project.