ISC Diary

Refresh Latest Diaries

Handler on Duty:
Russ McRee
Contact Us

IE Zero Day is "For Real"

Published: 2012-09-17,
Last Updated: 2012-09-17 15:51:11 UTC
by Rob VandenBrink (Version: 1)

We've had numerous readers write in about an IE8 zero day, most pointed us here for more info on it ==> http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

Since I'm not a "Malware Analysis Guy" (at least until I take Lenny's Forensics 610 class), I hunted around for some confirmation before I posted.

I guess a Metasploit module that exploits it counts as confirmation !
http://dev.metasploit.com/redmine/projects/framework/repository/revisions/aac41e91fd38f99238971892d61ead4cfbedabb4/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb

Also more info here: http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day

And yes, there is code in the wild that exploits this (since Sept14th). And no, there is no patch for it yet

If you're still running IE7,8 or 9, today is a good day to think about switching browsers for a couple of weeks.

(thanks to our readers, who corrected my original post - this zero day affects not just IE8, but also IE7 and IE9)

===============
Rob VandenBrink
Metafore

Keywords: ie ie7 ie8 ie9zero day

Comments

IE9 won't save you (and neither will IE7):
https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit

posted by Paul, Mon Sep 17 2012, 15:34

Like Paul said, this is for IE 7 - 9, not just 8. Until a patch is released, you should not use IE.

posted by darkphyber, Mon Sep 17 2012, 15:37

Would the latest version of EMET that includes the ROP protections for java and iexplore executables block this attack? Wondering if it is a compensating control until the patch is released.

posted by Terri, Mon Sep 17 2012, 15:44

any cve# for this yet?

posted by cve guy, Mon Sep 17 2012, 22:59

IE 6 through 9 vulnerable: http://technet.microsoft.com/en-us/security/advisory/2757760

posted by Brian, Tue Sep 18 2012, 03:56

According to this article, EMET should protect you. http://www.reuters.com/article/2012/09/18/net-us-microsoft-browser-idUSBRE88G1CA20120918

posted by Rob, Tue Sep 18 2012, 05:12

See also http://technet.microsoft.com/en-us/security/advisory/2757760

IE 6, 7, 8, 9 and 10 are affted on most platforms

posted by Doug, Tue Sep 18 2012, 06:28

Is this a candidate for moving the threat level to Yellow?

posted by Seeker, Tue Sep 18 2012, 14:31

Sir, are you absolutely sure? It does mean changing the bulb.

posted by Kryten, Tue Sep 18 2012, 20:58

Suggesting that another browser be used does not work when the Corporate accounting system cannot function in any browser except IE.

posted by KBR, Tue Sep 18 2012, 22:45

Add corporate accounting system and intranet sites to trusted sites in IE. set the internet zone to "high" security to prevent scripts from running. Send email to users telling them to use chrome or firefox to surf the internet in general. (If you can, make sure those browsers have web of trust plugin or other malware blocking addons like adblock plus installed.

posted by dayglo, Tue Sep 18 2012, 23:11

- https://technet.microsoft.com/en-us/security/advisory/2757760
V1.1 (Sep 18, 2012): Assigned Common Vulnerability and Exposure number CVE-2012-4969 to the issue. Also corrected instructions in the EMET workaround.
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969 - 9.3 (HIGH)
"... function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012..."
.

posted by PC.Tech, Tue Sep 18 2012, 23:43

- https://blogs.technet.com/b/msrc/archive/2012/09/18/additional-information-about-internet-explorer-and-security-advisory-2757760.aspx?Redirected=true
18 Sep 2012 - "We will release a Fix it in the next few days to address an issue in Internet Explorer... It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It wonâ��t require a reboot of your computer. This Fix it will be available for everyone to download and install within the next few days..."
.

posted by PC.Tech, Wed Sep 19 2012, 11:34

Is it just me, or is the 'panic' around this a little much?
The sequence of the vulnerability as I am reading it includes leveraging a rather old Adobe vulnerability. Also, most leading A/V vendors are detecting all the exploits. Except for the home user that doesn't update - theoretically, corporate environments that update at least one of the two (A/V; Adobe) and have decent perimeter protections you should have reasonable mitigation against this threat.

posted by Ferret, Wed Sep 19 2012, 16:46

IE Fix it available
- http://support.microsoft.com/kb/2757760#FixItForMe
... MS12-063 to be released Friday 9.21.2012
- https://blogs.technet.com/b/msrc/archive/2012/09/19/internet-explorer-fix-it-available-now-security-update-scheduled-for-friday.aspx?Redirected=true
.

posted by PC.Tech, Thu Sep 20 2012, 01:20

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives