Qualys Blog

www.qualys.com
wkandek

New 0-day for Internet Explorer – Update 3

Update 3
The update for Internet Explorer is out – MS12-063. It fixes the current 0-day and addresses four other unrelated vulnerabilities. Interestingly in the bulletin Microsoft credits TippingPoint for reporting CVE-2012-4969.

We recommend installing the update as soon as possible, even if you are not running one of the configurations that are currently being exploited, i.e. Internet Explorer plus Flash or version Java v1.6. Attackers are surely working on way to exploit the vulnerability directly without the help of plug-ins.

Update 2
Microsoft has just released further information on a patch for the 0-day vulnerability in Internet Explorer. Today they have made available a "Fix-it" that uses their application compatibility shim mechanism to fix the code segment affected on all versions of Internet Explorer.

They also announced that they are working on a permanent patch that will come out on Friday, September 21st.

The decision on whether to deploy the FixIt or whether to wait for the final patch should take into account that attacks are not widespread yet; currently attacks using the vulnerability continue to be of the targeted type with low infection rates reported.

For more detail on the nature of the patch and the pre-requisites for the exploit to run sucessfully, take a look a Microsoft’s SRD blog entry.

Update
Microsoft acknowledged the vulnerability in Security Advisory 2757760 and lists Internet Explorer 6,7,8 and 9 as affected. The vulnerability’s CVE is CVE-2012-4969. The advisory points to EMET as a working mitigating factor. EMET is an optional technology for Windows that provides additional security mitigation technologies to Windows programs, but due to its potential side-effects has to be configured by the system administrator to protect a subset of specific programs. Its newest version 3.0 was released in May of 2012 and can be managed through Group Policies, which should enable its use in a production environment. All installed browsers plus often targeted 3rd party applications are great targets to include in EMET configurations. Once EMET is configured to restrict Internet Explorers actions, the current exploit is prevented, even though it causes the browser to crash.

Original
Over the weekend security researcher Eric Romang discovered a 0-day exploit for Internet Explorer on an attack site in Italy. Analysis of the exploit file shows that it uses Adobe Flash to setup the necessary environment and works against IE 7,8 and 9.

A Metasploit module for the exploit was released today, allowing one to test the exploit. We expect the exploit to be integrated in all major attack frameworks soon.

Stay tuned for more information.

Leave a Reply