

Metasploit reproduces the "Aurora" IE zero-day from "China" attacks - tptacek
http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html

======
tptacek
From HD's blog post, here's a link to the original disclosed exploit:

[http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07...](http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js)

DEP stops it on IE7 and IE8.

It looks like use-after-free; an event is created for a DOM object, stored,
the DOM object is cleared, and the DOM object is referenced through the event
object from a second event.

~~~
tptacek
This is, _I think_ , a reduction of the underlying problem (in Haml):

<http://pastie.org/780341>

------
pavs
Hopefully this will force _some_ of the companies to rethink their policy on
insisting on using IE6 to support outdated software.

~~~
tptacek
It affects IE7 too, and may affect IE8 when DEP is disabled.

~~~
pavs
According to this: [http://mashable.com/2010/01/15/german-government-stop-
using-...](http://mashable.com/2010/01/15/german-government-stop-using-
internet-explorer/) it affects all IE version even in "protected" mode. I am
guessing they are referring to DEP.

I am so happy that this single event might start a _major_ decline in IE
market share. I am sick and tired of doing IE specific hacks for my sites.

~~~
tptacek
No, "protected mode" and DEP aren't the same thing.

