MULTI-STATE INFORMATON SHARING AND
ANALYSIS
CENTER CYBER SECURITY
ADVISORY
MS-ISAC ADVISORY
NUMBER:
2010-021
DATE(S)
ISSUED:
3/9/2010
SUBJECT:
Vulnerability in Internet Explorer Could Allow Remote Code
Execution
OVERVIEW:
A
vulnerability has been discovered in Microsoft’s web browser, Internet Explorer,
which could allow an attacker to take complete control of an affected system.
At this point in
time, no patches are available for this
vulnerability. Exploitation may occur if a user
visits a web page which is specifically crafted to take advantage of this
vulnerability. Depending on the privileges associated with the user, an attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights.
Please note: At this time, Microsoft
is aware of targeted attacks attempting to exploit this vulnerability.
SYSTEMS
AFFECTED:
·
Windows 2000
·
Windows XP
·
Windows Vista
·
Windows Server 2008
·
Internet Explorer 6
·
Internet Explorer 7
RISK:
Government:
·
Large and medium government entities:
High
·
Small government entities: High
Businesses:
·
Large and medium business entities:
High
·
Small business entities: High
Home users:
High
DESCRIPTION:
A
vulnerability has been identified in Microsoft Internet Explorer that could
allow an attacker to take complete control of an affected system. The
vulnerability exists due to an invalid pointer reference being used within
Internet Explorer. It is possible, under certain conditions, for the invalid
pointer to be accessed after an object is deleted. An attacker can exploit this
vulnerability by hosting a specially crafted webpage. Once the user visits the
page, the vulnerability will allow Internet Explorer to access a freed object
which could allow remote code execution.
Successful exploitation could allow an attacker to gain
the same privileges as the logged on user. Depending on the privileges
associated with the user, an attacker could then install programs; view, change,
or delete data; or create new accounts with full user
rights.
Please note: At this time, Microsoft
has not provided as patch, and is aware of targeted attacks attempting to
exploit this vulnerability.
RECOMMENDATIONS:
We
recommend the following actions be taken:
·
Install the appropriate Microsoft patch as
soon as it becomes available after appropriate testing.
·
Consider upgrading to Internet Explorer 8
since according to Microsoft
it is currently not affected.
·
Remind users not to visit un-trusted websites
or follow links provided by unknown or un-trusted sources.
·
If your organization has deployed alternate
browsers, recommend staff utilize an alternate browser.
·
Consider implementing the following
workarounds provided by Microsoft:
1.
Enable DEP for Internet Explorer 6
Service Pack 2 or Internet Explorer 7
2.
Set Internet and Local intranet
security zone settings to “High” to block ActiveX Controls and Active Scripting
in these zones
3.
Modify the Access Control List (ACL)
on iepeers.dll
4.
Configure Internet Explorer to
prompt before running Active Scripting or to disable Active Scripting in the
Internet and Local intranet security zone
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/981374.mspx
Secunia:
http://secunia.com/advisories/38860/
SecurityFocus:
http://www.securityfocus.com/bid/38615
CVE:
http://secunia.com/advisories/cve_reference/CVE-2010-0806/
March 15 – update
Vulnerability in Internet Explorer versions 6 and 7 – fix it for me solution available
A unpatched vulnerability has been identified in IE6 and IE7 (hopefully
you are running IE8 which is not affected by this vulnerability). Microsoft
has recently added a fix it for me solution and it can be applied from http://support.microsoft.com/kb/981374.
Other details available about the vulnerability – http://www.microsoft.com/technet/security/advisory/981374.mspx
Executive Summary
Microsoft is investigating new, public reports of a vulnerability in
Internet Explorer 6 and Internet Explorer 7. Our investigation has
shown that the latest version of the browser, Internet Explorer 8, is
not affected. The main impact of the vulnerability is remote code
execution. This advisory contains information about which versions of
Internet Explorer are vulnerable as well as workarounds and mitigations
for this issue.
Our investigation so far has shown that Internet Explorer 8 and
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service
Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on
Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and
Internet Explorer 7 are vulnerable.
The vulnerability exists due to an invalid pointer reference being used
within Internet Explorer. It is possible under certain conditions for
the invalid pointer to be accessed after an object is deleted. In a
specially-crafted attack, in attempting to access a freed object,
Internet Explorer can be caused to allow remote code execution.
Revisions
• V1.0 (March 9, 2010): Advisory published.
• V1.1 (March 10, 2010): Restated the mitigation concerning the e-mail
vector. Added a new workaround for disabling the peer factory class in
iepeers.dll.
• V1.2 (March 12, 2010): Added an automated Microsoft Fix it solution
to apply or undo the workaround for disabling the peer factory class on
Windows XP or Windows Server 2003.
Leave a Reply
You must be logged in to post a comment.