Wednesday, July 22, 2009

Another IE 0-day

Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).

Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).

Figure 2.0 show the shellcode (xcc) been executed.

It's not really a common stack overflow bug. Please read excellent  vulnerability analysis done by websense <a href="">here</a>.

MyCERT released the <a href="">advisory</a> and workaround (yes, with pictures) on how to do the 'kill-bit' thing for this particular CLSID.

No comments: