Active Zero-Day Exploit Targets Internet Explorer Flaw

On June 1, McAfee Labs discovered a new Microsoft Internet Explorer zero-day attack that is active in the wild and exploits a use-after-free vulnerability. We have successfully reproduced it with the latest IE8 and Windows 7. We have confirmed it’s a zero day and have been working with the Microsoft security team for their solutions. Today, Microsoft released the patch for MS12-037 and CVE-2012-1875, which Microsoft assigned to the issue we identified. At Microsoft’s request, we coordinated the release of this blog with the release of the patch.

The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash.

On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.

McAfee NSP customers are protected by signature 0x402be000, HTTP: Microsoft Internet Explorer Same ID Property Remote Code Execution. McAfee has released a Security Advisory with coverage details on all McAfee products.  Full McAfee product coverage is below.

 

McAfee Antivirus/ Web Gateway Coverage for known exploits is provided as “Exploit-CVE2012-1875″ in the current DAT release.
McAfee Network Security Platform Coverage is provided via Signature 0x402be000–”HTTP: Microsoft Internet Explorer Same ID Property Remote Code Execution.”
McAfee Vulnerability Manager The MVM/FSL Release of June 4 includes a vulnerability check to assess if your systems are at risk.
McAfee Host Intrusion Prevention Protection is provided via Generic Buffer Overflow Protection. This protection also extends to McAfee VirusScan Enterprise installations with Generic Buffer Overflow Protection enabled.
McAfee Application Control Under Analysis

 

I thank my colleagues Zheng Bu, Bing Sun, and Hirosh Joseph for their analysis of the vulnerability and exploit.