Exploit Code Surfaces for CVE-2012-1875 Internet Explorer Bug

Less than a week after Microsoft released a patch for a critical vulnerability in Internet Explorer, attack code has become publicly available in the form of a module for the Metasploit Framework. The bug is serious one that enables an attacker to bypass both ASLR and DEP, the two main anti-exploit technologies in IE, and run arbitrary code on the victim’s machine.

Microsoft has warned customers to patch the IE vulnerability CVE-2012-1875 as soon as possible, as there have been active attacks going on against the flaw for several weeks.

“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft said in its advisory.

Security researchers from McAfee discovered the vulnerability and found that attackers were using it in targeted attacks by the beginning of June.

“The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash,” McAfee’s Yichong Lin said in an analysis of the attacks and bug.

The Internet Explorer exploit can be used against IE 8 and will give the attacker complete control of the compromised machine. If you haven’t installed the patch yet, now’s the time.