Last week, when Microsoft released the critical Internet Explorer update, the company issued a warning that working exploit code could be released within 30 days.
Less than a week later, an exploit for one of the "critical" browser flaw has been fitted into the freely available Metasploit point-and-click attack tool and samples have been released to Contagio, a blog that tracks live malware attacks.
The addition of the exploit into Metasploit effectively means that cyber-criminals now have access to copy the attack code for use in exploit kit and other mass malware attacks.
The vulnerability (CVE-2012-1875) is a remote code execution flaw in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Microsoft has confirmed that this flaw is being used in "limited attacks" but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.
The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash.
On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.
Researchers at AlienVault Labs are reporting the discovery of "several servers hosting similar versions of the exploit." It also said the exploit supports a wide range of languages and Windows versions (from Windows XP through Windows 7) and appears to be very reliable.
It's important to note that this vulnerability is entirely different from the unpatched IE vulnerability linked to "nation-state attackers" engaged in ongoing attacks against GMail/Windows users.
This video shows the exploit in action in Metasploit.