Microsoft Internet Explorer 6/7/8/9 contain a use-after-free vulnerability

2012-09-17T00:00:00
ID VU:480095
Type cert
Reporter CERT
Modified 2012-09-21T00:00:00

Description

Overview

Microsoft Internet Explorer versions 6, 7, 8, and 9 are susceptible to a use-after-free vulnerability (CWE-416) that may result in remote code execution.

Description

Microsoft Internet Explorer 6/7/8/9 contains a use-after-free vulnerability in the CMshtmlEd::Exec() function. An attacker may leverage this vulnerability to execute arbitrary code. This vulnerability is being actively exploited in the wild and a Metasploit module is publicly available.


Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.


Solution

Apply an Update

Run Windows Update to apply the patch for this vulnerability. MS12-063 contains patches for this and other vulnerabilities as well.

If you cannot apply the update for whatever reason, please consider the following workarounds.


Apply a Microsoft Fix It utility

Microsoft has released Microsoft Fix it 50939 to address this vulnerability. The Fix It utility requires that all previous Windows security updates are installed to function properly.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

The MSRC blog post lists the following mitigations for this vulnerability.

  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
    • This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  • _ Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones_
    • This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Use a different web browser

Until Microsoft has released a patch for this vulnerability, consider using a different web browser for viewing untrusted web sites.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Microsoft Corporation| | -| 17 Sep 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P
Temporal | 9.2 | E:H/RL:W/RC:C
Environmental | 6.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <http://blogs.technet.com/b/msrc/archive/2012/09/17/microsoft-releases-security-advisory-2757760.aspx>
  • <http://technet.microsoft.com/en-us/security/advisory/2757760>
  • <http://cwe.mitre.org/data/definitions/416.html>
  • <http://osvdb.org/85532>
  • <http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/>
  • <https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit>
  • <https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/1347710461/>
  • <https://www.virustotal.com/file/9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5/analysis/1347710777/>
  • <http://dev.metasploit.com/redmine/projects/framework/repository/revisions/48a46f3b9415091a0cc76bd857a6bf90284b9fcd/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb>
  • <http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/>

Credit

This vulnerability was discovered in the wild.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-4969
  • Date Public: 17 Sep 2012
  • Date First Published: 17 Sep 2012
  • Date Last Updated: 21 Sep 2012
  • Document Revision: 31