Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Johannes Ullrich

Threat Level: green

Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)
Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could all the execution of arbitrary code (advisory 2458511.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors. I'm still collecting more details so this will be updated as more details become available. CVSS Base: pending Exploit code: non-public, but reported to have attacks in the wild. Workarounds: available Patches: unavailable IDS signatures: pending	Kevin Liston 292 Posts ISC Handler Nov 3rd 2010
Thread locked Subscribe	Nov 3rd 2010 1 decade ago
Please don't post links to the exploit code. Thanks.	Kevin Liston 292 Posts ISC Handler
Quote	Nov 4th 2010 1 decade ago
As we all know, MS offers two "Fix it" tools via http://support.microsoft.com/kb/2458511/en-us Sadly and odd enough, Fix it 50556 (the "CSS-Fix it", MicrosoftFixit50556.msi) has an error in the LaunchCondition of the MSI file, which leeds to an "This Microsoft Fix it does not apply to your operating system or application version" error message executing the MSI file on every Windows version you're trying to install it, abording the installation of the contained user-defined CSS file for Internet Explorer. The culprit is the second LaunchCondition FIXIT_RUN <> "" to be found in the MSI file. By removing this condition, the installation will continue and work as intended (IE will launch once after the installation finished). I've informed MS about the error yesterday. So far, no reaction. Just in case you don't feel to be able or willing to fix the issue yourself, I'm offering a fixed version of the MSI file via http://patch-info.de/IE/Downloads/MicrosoftFixit50556.msi Bye, Freudi	Anonymous
Quote	Nov 8th 2010 1 decade ago
IE 0-day in exploit kit... - http://thompson.blog.avg.com/2010/11/heads-up-0-day-in-an-exploit-kit.html November 07, 2010 - "... CVE-2010-3962* is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit. This raises the stakes considerably..." * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3962 .	Jack 160 Posts
Quote	Nov 8th 2010 1 decade ago
Without any feedback and further visible information, MS corrected "Fix it" 50556 on November 11th. They now offer the corrected Fix it via their MSKB article which is identical to that one, I've been offering for download via patch-info.de since November 7th. Bye, Freudi	Anonymous
Quote	Nov 11th 2010 1 decade ago
Well, in the meantime MS deploys the errorness version of MicrosoftFixit50556.msi once again. Looks like someone is playing bullsh*t Bingo.	Anonymous
Quote	Nov 12th 2010 1 decade ago