9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.916 High
EPSS
Percentile
98.9%
Microsoft Internet Explorer contains a use-after-free vulnerability in the CButton object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Microsoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of the attacker.
This vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets. Other proof-of-concept exploits are publicly available that do not use heap spraying.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code.
Apply an Update
Microsoft has released MS13-008 to address this vulnerability. Users should run Windows Update to receive the patch. If a user is unable to update, please consider the following workarounds:
Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.
Apply the Microsoft Fix It
Microsoft has provided a βFix itβ patch that causes Internet Explorer to safely crash if this vulnerability is attempted to be exploited, rather than resulting in code execution. Please see the Microsoft SRD blog entry for more details. Note that Windows must be fully-patched for the Fix it to be effective. There is also a report that the Fix it is insufficient to completely address the vulnerability.
Disable the Flash ActiveX control in Internet Explorer
While it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break some exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{D27CDB6E-AE6D-11cf-96B8-444553540000}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG
file and imported to set the kill bit for this control:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
Disable Java in Internet Explorer
Javascript is disabled. Click here to view vendors.
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 9 | E:H/RL:W/RC:UR |
Environmental | 9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was described by Eric Romang and FireEye.
This document was written by Will Dormann.
CVE IDs: | CVE-2012-4792 |
---|---|
Date Public: | 2012-12-28 Date First Published: |
blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/
blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html
blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/
blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx
blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx
docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable
eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/
labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day
support.microsoft.com/kb/2458544
technet.microsoft.com/en-us/security/advisory/2794220
www.youtube.com/watch?v=28_LUs_g0u4
technet.microsoft.com/en-us/security/bulletin/ms13-008