Windows Vista: Symantec Warned of New Attack

Security company Symantec has warned of new attacks targeting Windows Vista via a critical vulnerability in Internet Explorer 7. The exploit is designed to speculate copies of the operating system that have not been patched with the security updates released by Microsoft on June 12, 2007. The Speech Control Memory Corruption vulnerability does not impact […]

Security company Symantec has warned of new attacks targeting Windows Vista via a critical vulnerability in Internet Explorer 7. The exploit is designed to speculate copies of the operating system that have not been patched with the security updates released by Microsoft on June 12, 2007. The Speech Control Memory Corruption vulnerability does not impact Windows Vista directly, but instead affects Internet Explorer 7, one of the components that ship by default with the operating system, but also previous versions of the browser. 
The risk is maximum  for exposed systems, as the flaw allows for remote code execution in the eventuality of
a successful attack.

"What makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability. This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines. In this case, the exploit passes a maliciously crafted argument (ModeName) to the DirectSS.FindEngine function. The overflowed buffer is then populated with attacker-supplied shellcode over-writing the Structured Exception Handler, thus resulting in the execution of arbitrary code," revealed Pukhraj Singh, Symantec Senior Threat Analyst.

Exploits for the IE Speech Control Memory Corruption vulnerability are served via a compromised website which also targets Xunlei, a Chinese peer-to-peer application. Both exploits feature the same payload. In this context, an attack would infect the computer with W32.Looked.BK, a network-aware worm created to compromise executable files on the local drives and across a network.

"Another interesting aspect of this attack was the clever JavaScript obfuscation techniques used to hide these attacks. At first glance, what appeared to be a garbled webpage turns out to be an obfuscated JavaScript exploit using up to six-levels of obfuscation (see image). This is primarily used to evade security products like web-application which implement on-the-fly script parsers," Singh added.

Source:→ softpedia

Microsoft, Windows Vista, Symantec