Skip to navigation
Latest News

IE zero-day exploit disappears on reboot


By Shona Ghosh

Posted on 11 Nov 2013 at 11:34

Criminals are taking advantage of unpatched holes in Internet Explorer to launch "diskless" attacks on PCs visiting malicious sites.

Security company FireEye uncovered the zero-day flaw on at least one breached US site, describing the exploit as a "classic drive-by download attack".

But FireEye also noted the malware doesn't write to disk and disappears on reboot - provided it hasn't already taken over your PC - making it trickier to detect, though easier to purge.

"[This is] a technique not typically used by advanced persistent threat (APT) actors," the company said. "This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."

The vulnerability affects English-language versions of IE 7, 8, 9 and 10 on Windows XP and Windows 7.

Microsoft has not responded to a request for comment but told Ars Technica that it was still looking into the report. FireEye said attacks could be prevented with the latest version of Microsoft's Enhanced Mitigation Experience Toolkit, a malware blocking tool.

The exploit is separate from the Windows zero-day vulnerability revealed last week, which involves the TIFF graphics-format parser.

How it works

According to FireEye, the exploit takes advantage of two separate vulnerabilities in Internet Explorer - system information leaks and remote access to a PC's memory.

The company described the exploit as "exceptionally accomplished", and said attackers had managed to insert the exploit into a site likely visited by US defence workers, though it didn't say which.

"Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," said FireEye.

Using malware that doesn't stick around on reboot signalled the attackers' "confidence" in their own ability to take control of infected machines fast.

"As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organisations," said the company. "If the attacker did not immediately seize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could have been rebooted at any time."

Alternatively, it's possible the hackers were certain their intended victims would likely revisit the compromised site, FireEye said.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

So it only lasts a month

Given that most people only reboot on patch Tuesday the exploit will be present for quite a long time.

By tirons1 on 11 Nov 2013

Makes sense. For some crazy reason DoD and USG like IE, and make their sites more user friendly and compatible for IE than for more secure browsers like FF or GC. I only use IE when a site makes other browsers difficult to use.

By nightdreamer on 11 Nov 2013

Not affected?

So IE11 on Windows 7 is not affected and IE 10 and 11 on Windows 8 are unaffected?

And as all my machines are German language, they are unaffected anyway?

By big_D on 12 Nov 2013

Leave a comment

You need to Login or Register to comment.



Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.