-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0114 Title: UPDATED - Internet Explorer Zero-Day Exploits Available - MS12-063 [1] Version history: 17.09.2012 Initial publication 18.09.2012 Updated with additional details 21.09.2012 Updated with additional details - marked with "NEW!" 24.09.2012 Patch available - Updated with additional details - marked with "NEW!" Summary ======= There appears to have been an exploit detected that affects fully patched versions of Microsoft Internet Explorer versions 6 through 9, and allows downloading and running arbitrary executables. Also a Metasploit module is already available which exploits this zero-day vulnerability. Microsoft has issued a security advisory related to this vulnerability [3]. Microsoft has issued a "Fix it" solution - an automated way to deploy a workaround suggested by Microsoft. [5] NEW! Miscrosoft has released a critical Security Bulleting MS12-063 [6]. Affected Versions ================= The following versions are affected: Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 The full list of affected versions and platforms may be found in [3]. Original Details ================ Eric Romang [1] found four files on a server he investigated: an executable, a Flash Player movie and two HTML files called exploit.html and protect.html When users visit the exploit.html page, it loads the Flash movie, which in turn loads the other HTML page, protect.html. Together, they help dropping the executable on to the victim's computer. At this point, attackers have everything they need to drop whatever applications they like on the victim's machine, whether it is to join a botnet or conduct attacks. In this case, the dropper executable installs another program when the victim next logs in. [2] A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. [3] What can you do? ================ Patches are available [6] Workarounds: * If possible use a different browser (Firefox, Chrome, Safari, Opera, or Internet Explorer version 10.0). * If not possible to use a different browser, deploy the Enhanced Mitigation Experience Toolkit (EMET) [3,4] It is now possible to use the "Fix it" solution from Microsoft [5] to automatically Enable or Disable the EMET. Mitigating Factors: [3] * By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. * By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario. * An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. * In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. What to tell your users ======================= If possible ask your users to use a different browser. You may choose to ask your users to use the "Fix it" solution from Microsoft [5]. Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ [2] http://www.zdnet.com/java-zero-day-leads-to-internet-explorer-zero-day-7000004330/ [3] http://technet.microsoft.com/en-us/security/advisory/2757760 [4] http://support.microsoft.com/kb/2458544 [5] http://support.microsoft.com/kb/2757760 [6] http://technet.microsoft.com/en-us/security/bulletin/ms12-063 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQYHckAAoJEPpzpNLI8SVopN4P/j7U+diTSCdq+CgysUal23BF E0+91wNqDOE414INix0ic8k83JPsrvnPPrbJnSeyvT7+qxuI+gBlqYczzDZLPKfN bk5NfJHCAKf+CUitqsUu2uJvZbxgD5gm8kkpnxiaz+XmJPJ3c9xhVDU4SdCiQ6kp DdzBjmvYIooNMXfjLyxSiLOM1aIHnfTHeiC1L7U3ooUPHYFZTI0mWbSEoW20R3iD xS8WIxysuXOpzX5zNJnrOJGkjFLoIjtT+s8kQh+co0KYM5QZpPw0Bzh+ykPldr0X SiwBiFpBrGOMnO3++vKrG5PC1AzqZWq05iJcrH1csmapQPP0cnyEj7gTtHF6X5p8 HGzkrrIwIuEdL37Ddg4frOZCoRkc5cIA/ATdZ5fjQFtmSfsvzRYPKLQLblWOYlMR 7vWESDC9v9J4XdNCKWm4rTuTAp0T0OJPO33J08kSbvi9gNEankegf/IJgr4pGlHi qvjMxH7GYnyxae0ubW+D/8u+LM4HXJNQl2L+5I7ov1jr33asZsNw+bWXGRPN8Qrs uWepnU3P5iwqU5xGUyN/cjRzOfK/MmXTavE/KXMLGlB7Y0tbrj4qn567t6tAF+b1 Y14CVZ1YQjV8w5fw1xXadWoqRJ/AqW82k4VTaFcviy6Ys7SlD3csrLBw6KB8F04i BizAq7Yi7lVxAQsg4tQ0 =Jy3Y -----END PGP SIGNATURE-----