Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: IE Zero Day is "For Real" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IE Zero Day is "For Real"

We've had numerous readers write in about an IE8 zero day, most pointed us here for more info on it ==> http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

Since I'm not a "Malware Analysis Guy" (at least until I take Lenny's Forensics 610 class), I hunted around for some confirmation before I posted. 

I guess a Metasploit module that exploits it counts as confirmation !
http://dev.metasploit.com/redmine/projects/framework/repository/revisions/aac41e91fd38f99238971892d61ead4cfbedabb4/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb

Also more info here:  http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day

And yes, there is code in the wild that exploits this (since Sept14th).  And no, there is no patch for it yet

If you're still running IE7,8 or 9, today is a good day to think about switching browsers for a couple of weeks. 

(thanks to our readers, who corrected my original post - this zero day affects not just IE8, but also IE7 and IE9)

===============
Rob VandenBrink
Metafore

 

Rob VandenBrink

488 Posts
ISC Handler
IE9 won't save you (and neither will IE7):
https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit
Paul

2 Posts
Like Paul said, this is for IE 7 - 9, not just 8. Until a patch is released, you should not use IE.
Paul
6 Posts
Would the latest version of EMET that includes the ROP protections for java and iexplore executables block this attack? Wondering if it is a compensating control until the patch is released.
Anonymous
any cve# for this yet?
TuggDougins

37 Posts
IE 6 through 9 vulnerable: http://technet.microsoft.com/en-us/security/advisory/2757760
Brian

3 Posts
According to this article, EMET should protect you. http://www.reuters.com/article/2012/09/18/net-us-microsoft-browser-idUSBRE88G1CA20120918
Brian
1 Posts
See also http://technet.microsoft.com/en-us/security/advisory/2757760

IE 6, 7, 8, 9 and 10 are affted on most platforms
Doug

2 Posts
Is this a candidate for moving the threat level to Yellow?
Everseeker

3 Posts
Sir, are you absolutely sure? It does mean changing the bulb.
Everseeker
6 Posts
Suggesting that another browser be used does not work when the Corporate accounting system cannot function in any browser except IE.
KBR

63 Posts
Add corporate accounting system and intranet sites to trusted sites in IE. set the internet zone to "high" security to prevent scripts from running. Send email to users telling them to use chrome or firefox to surf the internet in general. (If you can, make sure those browsers have web of trust plugin or other malware blocking addons like adblock plus installed.
dayglo

5 Posts
- https://technet.microsoft.com/en-us/security/advisory/2757760
V1.1 (Sep 18, 2012): Assigned Common Vulnerability and Exposure number CVE-2012-4969 to the issue. Also corrected instructions in the EMET workaround.
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969 - 9.3 (HIGH)
"... function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012..."
.
Jack

160 Posts
- https://blogs.technet.com/b/msrc/archive/2012/09/18/additional-information-about-internet-explorer-and-security-advisory-2757760.aspx?Redirected=true
18 Sep 2012 - "We will release a Fix it in the next few days to address an issue in Internet Explorer... It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer. This Fix it will be available for everyone to download and install within the next few days..."
.
Jack

160 Posts
Is it just me, or is the 'panic' around this a little much?
The sequence of the vulnerability as I am reading it includes leveraging a rather old Adobe vulnerability. Also, most leading A/V vendors are detecting all the exploits. Except for the home user that doesn't update - theoretically, corporate environments that update at least one of the two (A/V; Adobe) and have decent perimeter protections you should have reasonable mitigation against this threat.
IMFerret

10 Posts
IE Fix it available
- http://support.microsoft.com/kb/2757760#FixItForMe
... MS12-063 to be released Friday 9.21.2012
- https://blogs.technet.com/b/msrc/archive/2012/09/19/internet-explorer-fix-it-available-now-security-update-scheduled-for-friday.aspx?Redirected=true
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!