IE Zero Day is "For Real"

Published: 2012-09-17
Last Updated: 2012-09-17 15:51:11 UTC
by Rob VandenBrink (Version: 1)
15 comment(s)

We've had numerous readers write in about an IE8 zero day, most pointed us here for more info on it ==> http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

Since I'm not a "Malware Analysis Guy" (at least until I take Lenny's Forensics 610 class), I hunted around for some confirmation before I posted. 

I guess a Metasploit module that exploits it counts as confirmation !
http://dev.metasploit.com/redmine/projects/framework/repository/revisions/aac41e91fd38f99238971892d61ead4cfbedabb4/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb

Also more info here:  http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day

And yes, there is code in the wild that exploits this (since Sept14th).  And no, there is no patch for it yet

If you're still running IE7,8 or 9, today is a good day to think about switching browsers for a couple of weeks. 

(thanks to our readers, who corrected my original post - this zero day affects not just IE8, but also IE7 and IE9)

===============
Rob VandenBrink
Metafore

 

Keywords: ie ie7 ie8 ie9zero day
15 comment(s)

Comments

IE9 won't save you (and neither will IE7):
https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit
Like Paul said, this is for IE 7 - 9, not just 8. Until a patch is released, you should not use IE.
Would the latest version of EMET that includes the ROP protections for java and iexplore executables block this attack? Wondering if it is a compensating control until the patch is released.
any cve# for this yet?
IE 6 through 9 vulnerable: http://technet.microsoft.com/en-us/security/advisory/2757760
According to this article, EMET should protect you. http://www.reuters.com/article/2012/09/18/net-us-microsoft-browser-idUSBRE88G1CA20120918
See also http://technet.microsoft.com/en-us/security/advisory/2757760

IE 6, 7, 8, 9 and 10 are affted on most platforms
Is this a candidate for moving the threat level to Yellow?
Sir, are you absolutely sure? It does mean changing the bulb.
Suggesting that another browser be used does not work when the Corporate accounting system cannot function in any browser except IE.

Diary Archives