Microsoft Internet Explorer CButton use-after-free vulnerability

Overview

Microsoft Internet Explorer contains a use-after-free vulnerability in the CButton object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of the attacker.

This vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets. Other proof-of-concept exploits are publicly available that do not use heap spraying.

---

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code.

---

Solution

Apply an Update

Microsoft has released MS13-008 to address this vulnerability. Users should run Windows Update to receive the patch. If a user is unable to update, please consider the following workarounds:

---

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Apply the Microsoft Fix It

Microsoft has provided a “Fix it” patch that causes Internet Explorer to safely crash if this vulnerability is attempted to be exploited, rather than resulting in code execution. Please see the Microsoft SRD blog entry for more details. Note that Windows must be fully-patched for the Fix it to be effective. There is also a report that the Fix it is insufficient to completely address the vulnerability.

Disable the Flash ActiveX control in Internet Explorer

While it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break some exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{D27CDB6E-AE6D-11cf-96B8-444553540000}More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400Disable Java in Internet Explorer

While it does not address the underlying vulnerability in Internet Explorer, disabling Java may break some exploits. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

Vendor Information

Javascript is disabled. Click here to view vendors.

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	9	E:H/RL:W/RC:UR
Environmental	9	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• <https://technet.microsoft.com/en-us/security/bulletin/ms13-008&gt;
• <http://technet.microsoft.com/en-us/security/advisory/2794220&gt;
• <http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx&gt;
• <http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx&gt;
• <http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/&gt;
• <http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/&gt;
• <http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/&gt;
• <http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html&gt;
• <http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day&gt;
• <http://support.microsoft.com/kb/2458544&gt;
• <http://www.youtube.com/watch?v=28_LUs_g0u4&gt;
• <http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable&gt;

Acknowledgements

This vulnerability was described by Eric Romang and FireEye.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2012-4792
Date Public:	2012-12-28 Date First Published: