Microsoft has released MS12-063 to address vulnerabilities affecting Internet Explorer versions 6, 7, 8, and 9. The most severe of the vulnerabilities was found able to allow arbitrary code execution when exploited. It was the said vulnerability which was earlier reported being used in attacks and leading to remote access tools (RAT). Here’s an in-depth analysis of one of the vulnerabilities:
The use-after-free vulnerability arises when a deleted object is referenced. For instance, by calling function document.write() to replace the whole page, while an event queued through execCommand method is still pending. When the execCommand method is called, CmshtmlEd object is created. However, when the object is deleted, Internet Explorer releases the CmshtmlEd object. Later, mshtml!CMshtmlEd::Exec() tries to access the released CmshtmlEd object, without verifying if it is still valid, leading to use-after-free vulnerability.
In the samples we’ve seen, the execCommand is invoked with action “selectAll”. At the same time, the body has another action triggered on selection. This action replaces the whole page with some text, forcing IE to free body objects. After the objects have been deleted, execComamnd will try to use those objects, leading to the vulnerability. A flash object is used to spray the heap with controlled data to alter the execution flow.
Zero-day Exploit in the Wild
The exploit for the above-mentioned vulnerability, detected by Trend Micro as HTML_EXPDROP.II, was seen used in several attacks. In one instance, the exploit was found loading SWF_DROPPR.II, which in turn downloads a PoisonIvy variant detected as BKDR_POISON.BMN. The second attack spotted leads to TROJ_PLUGX.ME, which executes malicious files on the infected systems. This malware is a variant of PlugX remote access tool (RAT) recently blogged here.
Users are advised to update their systems with the latest patch from Microsoft. Trend Micro Smart Protection Network™ protects users by detecting the exploit and other malicious files and blocking access to the malicious servers. Moreover, Trend Micro’s Deep security protects users through IDF rule 005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability. Lastly, Titanium 2013 safeguards user systems via their browser exploit prevention feature.
Update as of Sept. 25 4:57 AM PDT
There seems to be no stopping attackers from targeting this vulnerability, as we saw more attacks leveraging this software bug. In particular, several compromised websites were found hosting exploits aimed at this vulnerability. Users who visit these sites are served with the exploit, which ultimately lead users to download PlugX variants onto their computers.
Below are some of these compromised sites and attacks.
|Compromised Site||Exploit||Malicious .SWF File Component||Payload|
With these developments, it is imperative for users and IT administrators to update their systems with the security patch released by Microsoft. Trend Micro users need not worry as they are protected from these threats.