Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Published: 2010-11-03
Last Updated: 2010-11-07 14:30:10 UTC
by Kevin Liston (Version: 6)
5 comment(s)

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could allow the execution of arbitrary code (advisory 2458511- http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.

 

UPDATE: Symantec has details on the targeted attack here: http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks

UPDATE2: Added MSRC Blog link.

UPDATE3: Added CVSS Base.

UPDATE4: Noting that exploit code is in the wild.

UPDATE5: IDS signatures are available

CVSS Base: 9.3
Exploit code: publicly-available
Workarounds: available, DEP, EMET, and CSS-override.
Patches: unavailable
IDS signatures: available

Keywords:
5 comment(s)

Comments

Please don't post links to the exploit code. Thanks.
As we all know, MS offers two "Fix it" tools via http://support.microsoft.com/kb/2458511/en-us
Sadly and odd enough, Fix it 50556 (the "CSS-Fix it", MicrosoftFixit50556.msi) has an error in the LaunchCondition of the MSI file, which leeds to an "This Microsoft Fix it does not apply to your operating system or application version" error message executing the MSI file on every Windows version you're trying to install it, abording the installation of the contained user-defined CSS file for Internet Explorer. The culprit is the second LaunchCondition FIXIT_RUN <> "" to be found in the MSI file. By removing this condition, the installation will continue and work as intended (IE will launch once after the installation finished).
I've informed MS about the error yesterday. So far, no reaction. Just in case you don't feel to be able or willing to fix the issue yourself, I'm offering a fixed version of the MSI file via http://patch-info.de/IE/Downloads/MicrosoftFixit50556.msi

Bye,
Freudi
IE 0-day in exploit kit...
- http://thompson.blog.avg.com/2010/11/heads-up-0-day-in-an-exploit-kit.html
November 07, 2010 - "... CVE-2010-3962* is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit. This raises the stakes considerably..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3962
.
Without any feedback and further visible information, MS corrected "Fix it" 50556 on November 11th. They now offer the corrected Fix it via their MSKB article which is identical to that one, I've been offering for download via patch-info.de since November 7th.

Bye,
Freudi
Well, in the meantime MS deploys the errorness version of MicrosoftFixit50556.msi once again. Looks like someone is playing bullsh*t Bingo.

Diary Archives