On June 1, McAfee Labs discovered a new Microsoft Internet Explorer zero-day attack that is active in the wild and exploits a use-after-free vulnerability. We have successfully reproduced it with the latest IE8 and Windows 7. We have confirmed it’s a zero day and have been working with the Microsoft security team for their solutions. Today, Microsoft released the patch for MS12-037 and CVE-2012-1875, which Microsoft assigned to the issue we identified. At Microsoft’s request, we coordinated the release of this blog with the release of the patch.
The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash.
On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.
McAfee NSP customers are protected by signature 0x402be000, HTTP: Microsoft Internet Explorer Same ID Property Remote Code Execution. McAfee will release a Security Advisory with coverage details on all McAfee products.
I thank my colleagues Zheng Bu and Bing Sun for their analysis of the vulnerability and exploit.
Leave a reply