Microsoft Releases Out-of-Cycle Patch for IE
Microsoft has released MS12-063 to address vulnerabilities affecting Internet Explorer versions 6, 7, 8, and 9. The vulnerabilities, which were covered in CVE-2012-4969, can allow arbitrary code execution when exploited. Here’s an in-depth analysis of one of the vulnerabilities:
The use-after-free vulnerability arises, when a deleted object is referenced. For instance, by calling function document.write() to replace the whole page, while an event queued through execCommand method is still pending. When the execCommand method is called, CmshtmlEd object is created. However, when the object is deleted, Internet Explorer releases the CmshtmlEd object. Later, mshtml!CMshtmlEd::Exec() tries to access the released CmshtmlEd object, without verifying if it is still valid, leading to use-after-free vulnerability.
In the samples we’ve seen, the execCommand is invoked with action “selectAll”. At the same time, the body has another action triggered on selection. This action replaces the whole page with some text, forcing IE to free body objects. After the objects have been deleted, execComamnd will try to use those objects, leading to the vulnerability. A flash object is used to spray the heap with controlled data to alter the execution flow.
Zero-day Exploit in the Wild
The exploit detected by Trend Micro as HTML_EXPDROP.II, has triggered several attacks. When executed, this malware drops SWF_DROPPR.II, which in turn drops a PoisonIvy variant detected as BKDR_POISON.BMN. The second attack spotted leads to TROJ_PLUGX.ME, which executes malicious files on the infected systems. Accordingly, this malware is a variant of PlugX remote access tool (RAT) recently blogged here.
Users are advised to update their systems with the latest patch from Microsoft. Trend Micro Smart Protection Network™ protects users by detecting the exploit and other malicious files and blocking access to the malicious servers. Moreover, Trend Micro’s Deep security protects users through IDF rule 005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability. Lastly, Titanium 2013 safeguards user systems via their browser exploit prevention feature.
Post from: TrendLabs | Malware Blog – by Trend Micro