MS12-063 released (KB2744842):
Sep 21, 2012
V2.0 (Sep 21, 2012): Advisory updated to reflect publication of security bulletin.
___IE 0-day in-the-wild
Last Update: 2012-09-18
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, 7.x, 8.x, 9.x
... vulnerability is caused due to a use-after-free error when handling "<img>" arrays and can be exploited via a specially crafted web page. Successful exploitation allows execution of arbitrary code... currently being actively exploited
. The vulnerability is reported on a fully patched Windows XP SP3. Other versions may also be affected...
... Reported as a 0-day.
"... potential Microsoft Internet Explorer 7 and 8 zero-day... exploited in the wild... This file is recognized as a HTML file*..."
File name: F4537FE00E40B5BC01D9826DC3E0C2E8.dat
Detection ratio: 15/42
Analysis date: 2012-09-18 10:50:06 UTC
18 Sep 2012 - "... The Rapid7 team got right on it and created a module exploiting the vulnerability for the Metasploit exploit toolkit during the weekend, and advised IE users to switch to other browsers such as Chrome or Firefox until Microsoft patches the flaw security update becomes available
. Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate - but not yet remove - the threat:
• Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
These steps could bring additional problems to the users
, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7's advice and switch to another browser
for the time being."
18 Sep 2012 - "... It remains to be seen whether patching the vulnerability will have to wait for the next scheduled Patch Tuesday in October or whether an unscheduled patch will be released..."
Last Updated: 2012-09-17 - "... there is code in-the-wild that exploits this (since Sept14th)... there is no patch for it yet. If you're still running IE7, 8 or 9, today is a good day to think about switching browsers
for a couple of weeks... (this zero day affects not just IE8, but also IE7 and IE9
Sep 17, 2012 - "... The payload dropped is Poison Ivy...
File name: a01dee0fdb5a752afea044c4e4fe4534ef5a23f6
Detection ratio: 25/42
Analysis date: 2012-09-18 06:19:29 UTC
The C&C server configured is ie.aq1 .co.uk that is currently resolving to 22.214.171.124
We’ve also seen that the domain used in the previous attacks hello.icon .pk is also pointing to the new IP address. Once executed, the payload creates the file C:\WINDOWS\system32\mspmsnsv.dll and the service WmdmPmSN is configured and started..."
17 Sep 2012 - "... the remote administration tool (RAT) Poison Ivy is currently being distributed in this way in order to give the attackers complete access to the infected system. Users running Internet Explorer can play it safe by switching to another web browser
17 Sep 2012 - "... this exploit was hosted on the same servers used in the Nitro attack*..."
Pg. 4 - PDF file: "... the threat used to compromise the targeted networks is Poison Ivy, a Remote Access Tool (RAT)... It comes fully loaded with a number of plug-ins to give an attacker complete control of the compromised computer..."
Sep 17, 2012 - "... get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers
, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit..."