The vulnerability in Internet Explorer is very similar to other vulnerabilities we have seen in Microsoft's browser in that it allows the attacker to do a drive-by download attack. This means that it's enough for the user to visit a website or view a specially crafted HTML email to be infected. Unfortunately it also means that it's just a matter of time before we are going to see large scale attacks using the new vulnerability.
Limited public use
Over the weekend our ThreatSeeker(TM) network identified limited public use of the new vulnerability. The malicious page was hosted on http://66cc.[REMOVED]:2988/dz/ie.html but has since been taken offline. Below is a screenshot of the example code:
Websense includes active protection in our Web Security Gateway to protect against any attack that uses this vulnerability so our customers are protected. Below is a screenshot of one of our internal tools and how it deobfuscates the attack page.
The property access using srcElement is actually interpreted as a kind of a method call and the actual call that is issued is inside mshtml.dll. The method name is "CEventObj::GenericGetElement" which tries to access the element from the event object. And it will try to call the method from the corrupted object's vtable. This method will call "CElement::GetDocPtr" method which looks like following.
When this method is called ecx is already corrupted to point inside pre-allocated heap-sprayed area and call instruction will move eip to that heap-sprayed area. And the malicious shellcode will finally take control of the mother ship. The public exploit only works reliably on Internet Explorer 6. However, Internet Explorer 7 is also vulnerable in its default configuration. Internet Explorer 8 is not due to DEP being activated by default.
This analysis is based on public exploit code available on the Internet. The exploit has also been added to the Metasploit Framework. We are also working with Microsoft to identify websites using the new vulnerability by using our ThreatSeeker(TM) network that scans hundreds of millions of websites on a daily basis.
Update: We published a follow-up blog here: Update on the Microsoft Internet Explorer 0-day