-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0002 Title: UPDATED - Microsoft Internet Explorer Security Advisory Version history: 04.01.2013 Initial publication 15.01.2013 Patch available - marked with "NEW!" Summary ======= Microsoft is investigating public reports of vulnerability in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Internet Explorer 9 and Internet Explorer 10 are not affected by the vulnerability. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8. Applying the Microsoft Fix it solution, "MSHTML Shim Workaround," prevents the exploitation of this issue. NEW! Microsoft has released Security Advisory 2794220 [1] to address a vulnerability in Microsoft Internet Explorer 6, 7, and 8. Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. CVE numbers [2]: CVE-2012-4792 NEW! Microsoft has released Security Bulletin MS13-008 [5] to resolve this vulnerability. The security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. CERT-EU encourages users and administrators to review Microsoft Security Bulletin MS13-008 [5] and follow best-practice security policies to determine if the update should be applied. Affected Versions ================= Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 Original Details ================ The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. What can you do? ================ NEW! Apply the patch MS13-008 [5] installing KB2799329 [5] Apply Workarounds, see [1] for further details and instructions: * Apply the Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue [3] [1] * Deploy the Enhanced Mitigation Experience Toolkit [4] [1] The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit. * Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones [1] You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting. You can do this by setting your browser security to High. * Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone [1] You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. Mitigating Factors ================== * By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. * By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario. * An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. * In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. What to tell your users ======================= Normal security best practices apply. Especially, inform your Web users to be cautious about attachments and following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://technet.microsoft.com/en-us/security/advisory/2794220 [2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792 [3] http://support.microsoft.com/kb/2794220 [4] http://support.microsoft.com/kb/2458544 [5] http://technet.microsoft.com/en-us/security/bulletin/ms13-008 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQ9rUfAAoJEPpzpNLI8SVo+w8P/13U5F9QAso+rhDhxvx78acH 2P7AZ+Pqprho68tiWW9BDOae3vCYHlombLQ7VqxLP4u+pN2x4+4/asp+cV40pEWQ 6iZHxv3cuoPkJN5UVIoWp/eIRMXM2UUirBh2GaNB1Spfvm4iLDjNx2i5uYt832m1 3c/Y37D2wk87sefizHdfnsgeV7xTgBf7BZ/NHnWDhLv/snh390HMx+KP53rXpklI U6NYlq1Kpr3xbxit8p8Zfoe3r65Gzxt+//Cg32T6U+0mKUyINVwBqDtyswirxgdw MiytYG1k4ekBZGk+23rByP3hCWXr6HdiFx+Y6pdVAqu7lggd7rQP4a+oKjSRyjVL zRPsbkK7cayYLCTL6/pwNrphBknfdBkxY2c2wXevTgcdvlyc1wGgxNKMsvhtNSr5 EtEGWVAAcpth8+ENT3BBnhUr+o0kE+HucNRegOv1Eeqt++PDQ4jXJKBQHANRvyr9 q0clTTt51fT4k0qpfvvkyxB8O6dbbk+QIKrZ2Q80V2chDRCVsCSYh2EO1N1OUKzK ISttaKIYyO09eq0CGNIf46e5U+snGEkrb20MT7nP87/HHQM3a6U/BYEt4zlfmoEr 7ABrmWHzV2Sh06YBWw9VrRqf5F4YbNf7wrYoo9L4oqkk4zA/WzIJjKn5cpxGb/80 cyKlafF7WL0lH4p/U65+ =1Huf -----END PGP SIGNATURE-----