IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

  • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

  • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

  • a hardware router with Stateful Packet Firewall
  • should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  • block Internet Explorer through the ESET or other software firewall.
  • should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  • uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  • need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  • no risky behavior
  • no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

New Metaspoit 0-Day IE7, IE8, IE9, WinXP, Vista, Windows 7

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7 – SecurityStreet/Rapid7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.

Here’s the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled “Let’s Start the Week with a New Java 0day in Metasploit“. You’d think the 0-day attack from the same malicious group might cool down a little after that incident… well, you’d be wrong. …

BOLD and COLOR emphasis mine.

I am sure that they only tested IE7, IE8 and IE9 initially on this because those are the only IE browsers in use right now for Windows XP, Vista and Windows 7 and based on the w3Counter, the largest number of IE users at this time.

He also said that if he were to test IE10, he was certain it would fail the test as well.

One can only imagine how miserably IE6, as the highest level of IE that works on Win2K, would do. You would think that most people have moved onto newer versions of Windows, but some have not sadly despite the fact that Win2K hasn’t had an update since I think July 2010 and despite articles like this one from Ed Bott January 16, 2010. Don’t think it’s a big issue? Well according to the IE6Countdown website, IE6 still has an impressive 6% of Internet users worldwide as of August 2012.

Sure the USA’s piece of pie for IE6 is only 0.04% but I know a few of those folks and they are diehard users who refuse to leave a dead OS and browser due to economic issues, or sight issues, or both. Now, to their credit, some of these Win2K users do have a NAT hardware router, a software firewall, and they use Firefox and not IE6, but still, Win2K has not had any updates since July 2010! Not a wise move.

Personally,  I have NO addons allowed to work in IE8 in Windows XP by default on the Installations of Windows XP SP3 that I have still running, or IE9 on Windows 7.

I lock down my other browsers with no scripting type extensions like NoScript on Firefox, Chrome, etc. regardless of the operating system I am using (Windows, Mac, Linux), as well as Adblock Plus.

Another great little program for Windows that can help you keep a handle on what is happening on your Windows computer is BillP Studio’s WinPatrol Plus and FREE WinPatrol. I use it on my WinXP SP3 as an added protection since I have a laptop that can only run WinXP (SP3 of course), I use very intermittently for special use tasks such as setting up routers, or downloading music using Amazon Downloader, or sites that use OverDrive Media Console, etc. which won’t run on Linux on my laptop. This is when I am on the road using Library or Starbucks, or other public wifi hotspots due to our bandwidth limitations here at home on Verizon Wireless.

And I have found it to be wise to use a different browser (locked down of course as much as you can tolerate), rather than the ‘ubiquitous’ browser (IE in Windows, Safari on the Mac, or whatever the default browser is in a given GUI in Linux) in any given operating system.

One can not leave this to chance these days, IMHO.

 

EDIT: Added articles – one more about the exploit and the link to information on Microsoft’s workaround:

Update: Hackers exploit new IE zero-day vulnerability – Computerworld

Customers can use the Enhanced Mitigation Experience Toolkit (EMET) 3.0 to harden IE enough to ward off the current attacks, said Wee, of the company’s Trustworthy Computing Group, in an email late on Monday.EMET 3.0 can be downloaded from Microsoft’s websites.

Microsoft issues workaround for IE 0-day exploited in current attacks – net-security.org

Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate – but not yet remove – the threat:

  • Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
  • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

These steps could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7’s advice and switch to another browser for the time being.

Again BOLD emphasis mine.

Java flaws already included in Blackhole exploit kit within 12 hours

Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April – Sophos Naked Security

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

And this about Macs in particular:

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.

Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from  Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.

And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.

Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.

What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.

Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.

Java 7 ‘super dangerous’ vulnerability

There is a recently discovered ‘super dangerous’ vulnerability in Java 7.

This vulnerability affects all Java 7 users; whether they run a version of Windows, or using a Mac, or an Opensource Linux operating system:

Macs at risk from ‘super dangerous’ Java zero-day – Computerworld:

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.

The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.

I think the reason they have singled out Mac users in the article is that most Windows users if they have a recent version of Java installed will get upgrade notifications from Oracle’s Java. Where many Mac users until Lion had Java being updated (albeit late) by Apple. Now they are responsible to keep it updated on Lion IF they decide to install Java manually themselves. Lion and Mountain Lion do not come with Java installed by default. But if you do have it installed on your Mac:

Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.

These exploits are mainly aimed at Windows users, but Macs are becoming more and more popular because overall they have less issues than Windows for viruses, etc.

But browser exploits are a bain for all computer users. And we have to keep our plugins updated to stay one step ahead.

If you are using Firefox, there is a page you can go to where you can check to see if your plugins can be checked to make sure you are up to date:

Firefox Check Plugins page

Interestingly that Check Plugins page also seems to work pretty well on Google Chrome’s browser as well. Just remember that if it tells you Flash is outdated, Google Chrome will be updating that for you on their next update.

Looks like I am off for a new Flash update… see ya next time.

Dangerous Internet Explorer Flaw Jeopardizes GMail accounts

‘State-sponsored attackers’ using IE zero-day to hijack GMail accounts – ZDNet:

Microsoft’s advisory speaks of “active attacks” and follows a separate note from Google that references the IE flaw “being actively exploited in the wild for targeted attacks.”

IMPORTANT: This is not the MS12-037 that Microsoft just patched this week on Patch Tuesday.

This is a zero-day vulnerability. Both Microsoft and Google have issued warnings regarding it.

There are Twitter warnings all over the place about “Warning: State-Sponsored attackers may be trying to compromise your account or computer“.

In leiu of a patch for Internet Explorer to fix this vulnerability, Microsoft has devised a “FixIt” Tool intended to block the attack vector:

Microsoft Knowledge Base Article 2719615

Also, according to the ZDNet article:

Microsoft also recommends that Windows users deploy the Enhanced Mitigation Experience Toolkit (EMET), which helps prevent vulnerabilities in software from successfully being exploited.

However, either way, it makes great sense to use Microsoft’s “FixIt” Tool to mitigate this zero-day Internet Explorer vulnerability whether you use Internet Explorer or not.

If you do not wish to use the “FixIt Tool”, you could also use the pre-advisory instructions under the Suggested Actions section to mitigate the problem by disallowing Active Scripting from automatically running on your system (set it to prompt you to allow).

Adobe Flash Zero Day Bug Emergency Patch

Adobe patches new Flash zero-day bug with emergency update – Computerworld

Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.

“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” the Friday advisory said.

All editions of the Flash player are affected, but those abusing this vulnerability are targeting Internet Explorer with this current exploit and Adobe is giving it their Priority 1 status:

The update was pegged with Adobe’s priority rating of “1,” used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.

In this case of course it’s already actively being exploited. So don’t wait! Don’t be a target, get your Adobe Flash Player update today!