Attack code published for 'critical' IE flaw; Patch your browser now

Attack code published for 'critical' IE flaw; Patch your browser now

Summary: Microsoft has confirmed that this flaw is being used in "limited attacks" but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.

TOPICS: Security

Last week, when Microsoft released the critical Internet Explorer update, the company issued a warning that working exploit code could be released within 30 days.

follow Ryan Naraine on twitter

Less than a week later, an exploit for one of the "critical" browser flaw has been fitted into the freely available Metasploit point-and-click attack tool and samples have been released to Contagio, a blog that tracks live malware attacks.

The addition of the exploit into Metasploit effectively means that cyber-criminals now have access to copy the attack code for use in exploit kit and other mass malware attacks.

'State-sponsored attackers' using IE zero-day to hijack GMail accounts ]

The vulnerability (CVE-2012-1875) is a remote code execution flaw in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft has confirmed that this flaw is being used in "limited attacks" but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.

According to McAfee, the live attacks started as far back at June 1, 2012:

The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash.

On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.

Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws ]

Researchers at AlienVault Labs are reporting the discovery of "several servers hosting similar versions of the exploit."  It also said the exploit supports a wide range of languages and Windows versions (from Windows XP through Windows 7) and appears to be very reliable.

It's important to note that this vulnerability is entirely different from the unpatched IE vulnerability linked to "nation-state attackers" engaged in ongoing attacks against GMail/Windows users.

This video shows the exploit in action in Metasploit.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good response from Microsoft

    Microsoft is doing a good job mitigating this risk so quickly after being notified of it. Regression testing vulnerabilities brought on by buggy Java machines is a challenge.
    Your Non Advocate
  • What is the mitigation?

    Has Microsoft patched this in Windows Update? Or does the have to go to MS12-037 and download and install the patch?
    • Yes and no.

      It was part of last week's "Patch Tuesday" so it should have been automatically downloaded and installed last week depending on how you have autoupdates configured.
      • "Should have" - right

        I have had Windows patches fail, always a good idea to check and make sure all security updates installed successfully.
  • Attack code published for 'critical' IE flaw; Patch your browser now

    Exploit will have very minimal effect considering its already patched. Anyone with automatic updates has the patch and in the business setting they already pushed the patches on Friday.
    Loverock Davidson-
  • Headline re-write to improve accuracy/honesty

    "Attack code published for 'critical' IE flaw; Patch was released 6 days ago."
    • Installed 6 Days Ago

      Same here...that patch was installed on my system on 6/13/2012
  • Another reason to ditch Windoze...

    buggy, crappy, virus-ridden bloatware. Just go with a Mac - you will never be sorry you did!
  • Come on guys! Really?

    Most people need to know what to look for in their "Installed Updates" in the Control Panel (under Programs and Features). What they really need is to look for KB2699988. That's the patch that they need to look for to see if it's installed on their system.
    • Really?

      Wow, I was just about to look for KB2689988!
      • 6 Days Ago

        It's most likely already installed. The only people that still need it are those who don't allow automatic updates or who think they can perform their own security better than Microsoft can by picking and choosing what to install. Some IT administrators wait to 'test' an update before rolling it out. That is ridiculous to do in this case. patch your systems!
  • Bullet proof IE fix: DELETE

    I am sick and tried of putting up with MS and IE. It is now deleted. Bullet proof IE fix.
    • If Deleting IE fixes your security problem...

      then why not delete all your browsers? Microsoft at least informs the public when a critical flaw is found in their software and issues patches to fix said problems. Do you ever get warnings like these from FireFox, Google or Safari? Didn't think so. Silence regarding security flaws doesn not translate into a safe browser.
  • Re: DELETE

    But wait.... Windows 8 is just around the corner. Don't you want to be mugged in the Metro?
  • Waiting for Win 8 to avoid all these

    Hope all these things will vanish with Windows 8. Eagerly waiting for it now.

    - Sara