Microsoft Internet Explorer "scrollIntoView" Use-After-Free

2012-10-24T00:00:00
ID PACKETSTORM:117654
Type packetstorm
Reporter Nicolas Joly
Modified 2012-10-24T00:00:00

Description

                                        
                                            `VUPEN Security Research - Microsoft Internet Explorer "scrollIntoView"  
Use-After-Free Vulnerability (MS12-063)  
  
Website : http://www.vupen.com  
  
Twitter : http://twitter.com/vupen  
  
  
I. BACKGROUND  
---------------------  
  
"Microsoft Internet Explorer is a web browser developed by Microsoft and  
included as part of the Microsoft Windows line of operating systems with  
more than 60% of the worldwide usage share of web browsers." (Wikipedia)  
  
  
II. DESCRIPTION  
---------------------  
  
VUPEN Vulnerability Research Team discovered a critical vulnerability  
in Microsoft Internet Explorer.  
  
The vulnerability is caused by a use-after-free error in the "mshtml.dll"  
component when processing certain "scrollIntoView" events, which could  
allow  
remote attackers execute arbitrary code via a specially crafted web page.  
  
CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)  
  
  
III. AFFECTED PRODUCTS  
---------------------------  
  
Microsoft Internet Explorer 9  
Microsoft Internet Explorer 8  
  
Microsoft Windows 7 for 32-bit Systems  
Microsoft Windows 7 for 32-bit Systems Service Pack 1  
Microsoft Windows 7 for x64-based Systems  
Microsoft Windows 7 for x64-based Systems Service Pack 1  
Microsoft Windows Server 2008 for 32-bit Systems  
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2  
Microsoft Windows Server 2008 for x64-based Systems  
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2  
Microsoft Windows Server 2008 for Itanium-based Systems  
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2  
Microsoft Windows Server 2008 R2 for x64-based Systems  
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1  
Microsoft Windows Server 2008 R2 for Itanium-based Systems  
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1  
Microsoft Windows Vista Service Pack 1  
Microsoft Windows Vista Service Pack 2  
Microsoft Windows Vista x64 Edition Service Pack 1  
Microsoft Windows Vista x64 Edition Service Pack 2  
Microsoft Windows Server 2003 Service Pack 2  
Microsoft Windows Server 2003 x64 Edition Service Pack 2  
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems  
Microsoft Windows XP Service Pack 3  
Microsoft Windows XP Professional x64 Edition Service Pack 2  
  
  
IV. Binary Analysis & Exploits/PoCs  
---------------------------------------  
  
In-depth technical analysis of the vulnerability and a fully functional  
remote code execution exploit are available through the VUPEN BAE  
(Binary Analysis & Exploits) portal:  
  
http://www.vupen.com/english/services/ba-index.php  
  
VUPEN Binary Analysis & Exploits Service provides private exploits and  
in-depth technical analysis of the most significant public vulnerabilities  
based on disassembly, reverse engineering, protocol analysis, and code  
audit.  
  
The service allows governments and major corporations to evaluate risks, and  
protect infrastructures and assets against new threats. The service also  
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal  
research efforts and quickly develop both vulnerability-based and  
exploit-based signatures to proactively protect their customers from attacks  
and emerging threats.  
  
  
V. VUPEN Threat Protection Program  
-----------------------------------  
  
Governments and major corporations which are members of the VUPEN Threat  
Protection Program (TPP) have been proactively alerted about the  
vulnerability  
when it was discovered by VUPEN in advance of its public disclosure, and  
have received a detailed attack detection guidance to protect national and  
critical infrastructures against potential 0-day attacks exploiting this  
vulnerability:  
  
http://www.vupen.com/english/services/tpp-index.php  
  
  
VI. SOLUTION  
----------------  
  
Apply MS12-063 security update.  
  
  
VII. CREDIT  
--------------  
  
This vulnerability was discovered by Nicolas Joly of VUPEN Security  
  
  
VIII. ABOUT VUPEN Security  
---------------------------  
  
VUPEN is the leadering provider of advanced vulnerability research for  
defensive and offensive cyber security. VUPEN solutions enable corporations  
and governments to measure and manage risks, eliminate vulnerabilities  
before they can be exploited, and protect critical infrastructures and  
assets against known and unknown vulnerabilities.  
  
VUPEN has been recognized as "Company of the Year 2011 in the Vulnerability  
Research Market" by Frost & Sullivan.  
  
VUPEN solutions include:  
  
* VUPEN Binary Analysis & Exploits Service (BAE) :  
http://www.vupen.com/english/services/ba-index.php  
  
* VUPEN Threat Protection Program (TPP) :  
http://www.vupen.com/english/services/tpp-index.php  
  
  
IX. REFERENCES  
----------------------  
  
http://technet.microsoft.com/en-us/security/bulletin/ms12-063  
http://www.vupen.com/english/research.php  
  
  
X. DISCLOSURE TIMELINE  
-----------------------------  
  
2011-10-10 - Vulnerability Discovered by VUPEN and shared with customers  
2012-09-21 - Public disclosure  
`