sinn3r

Microsoft Internet Explorer 0-Day Marks the End of 2012

Blog Post created by sinn3r Employee on Dec 29, 2012

Not too long ago, HD Moore was interviewed by eSecurity Planet looking back Microsoft's security over 2012.  He made a very interesting remark about the trend of Microsoft vulnerabilities:

 

"It seems like the market for Windows vulnerabilities has burned up most of the easy-to-find bugs, and the folks who would normally report the big ones are keeping them private..."

 

Today, just when we think we get to relax a little bit after a year of hard work, we are once again reminded by another Microsoft Internet Explorer 0-day about that fact, which also marks the end of 2012.  The skies did not fall, the machines did not rise... but hey, guess what, I think private 0-days will.

 

The December 0-day (CVE-2012-4792) was first spotted and publicly disclosed by FireEye, and this is the story: Sometime in December, Council on Foreign Relations (CFR)'s website was compromised, and then began hosting malicious content from there.  The 0day exploit was written to target English, Chinese (China & Taiwan), Japanese, Korean and Russian-based Windows users.  Who would usually visit the CFR website?  Please feel free to guess.  If you are using IE9 or IE10, today's is your lucky day, because you are not vulnerable to this.  For those who are using older versions of IE such as 8 -- what's the matter with you?

 

According to Net Market Share, these vulnerable IEs still make up about ~33% of the browser market share, with IE8 still being the most popular IE browser.

 

Thanks to our Metasploit contributors Eric Romang and Mahmud ab rahman (and of course, @binjo's fantastic writeup about the vulnerability), we quickly re-examined the root cause of the use-after-free, and then porting the exploit was as simple as applying our own browser exploit template, and running Corelan's pre-release WinDBG Mona exploit dev tool:

 

Screen shot 2012-12-29 at 6.00.26 PM.png

 

 

And finally, the initial version of the exploit is ready to serve the public.  Here's an example of our Metasploit exploit in action:

full_desktop.png

 

Please note that our exploit may be updated when necessary, but you can always find it here:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/wind ows/browser/ie_cbutton_uaf.rb

 

If your computer is vulnerable to this flaw, there is currently no official patch, but here are some recommendations you may consider:

 

We DO NOT recommend using an anti-virus product as an effective mitigation, as the following example demonstrates it's possible you still could be attacked without your AV ever knowing (even with OBFUSCATE set to false):

 

Screen shot 2012-12-30 at 9.14.14 PM.png

 

In addition, here's Microsoft's official advisory for CVE-2012-4792 that you should read:

http://technet.microsoft.com/en-us/security/advisory/2794220

 

If you'd like to try out this Metasploit module to better validate your network's defenses, please feel free to download Metasploit from here.  If you habitually use Metasploit Framework, you can just run msfupdate now to obtain it.  If you're a Metasploit Pro user, you will see this module in the upcoming update.

 

 

Timeline

============

Dec 29th, 2012 - Metasploit releases exploit for CVE-2012-4792

Dec 29th, 2012 - Microsoft releases security advisory 2794220

Dec 31st, 2012 - Microsoft releases fix-it solution (KB2794220)

Jan 14th, 2013 - Microsoft releases MS13-008

Outcomes