We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.
Here's the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled "Let's Start the Week with a New Java 0day in Metasploit". You'd think the 0-day attack from the same malicious group might cool down a little after that incident... well, you'd be wrong. Because last weekend, our fellow researcher and Metasploit contributor Eric Romang just spotted another 0-day, possibly from the same group, exploiting a Microsoft Internet Explorer use-after-free vulnerability.
The Metasploit team has had the pleasure to work with Mr. Romang and @binjo together, and pretty soon we had a working exploit. You may download Metasploit here, and apply the latest update to pick up the exploit.
The following screenshot demonstrates a successful attack against a Windows 7 machine with Internet Explorer 9 installed:
This one is against Internet Explorer 8 installed:
Here's another example exploiting a fully-patched Windows XP SP3 box:
The exploit also works against Windows Vista, but I think you guys get the point now.
To try out this module, get your free Metasploit download now, or update your existing installation. In the meantime, we will keep this blog updated when more progress has been made.
- Sep 17th, 2012 - Microsoft releases advisory 2757760: http://technet.microsoft.com/en-us/security/advisory/2757760
- Sep 18th, 2012 - CVE assigned as: CVE-2012-4969
- Sep 19th, 2012 - Microsoft releases "fix-it", and has been verified working. More information can be found here. We still advise users to use the Metasploit module to test if the workaround is working properly or not, because even if the installer says "the fix has been processed", exploitation could still happen under specific circumstances. Here's an example.
- Sep 20th, 2012 - Microsoft updates the "fix-it" advisory to revision 2.0. Requirements clarified: 1) "For computers that are running 64-bit operating systems, the following Fix it solution only applies to 32-bit versions of Internet Explorer." 2) Before you apply this Fix it solution, you must ensure that Internet Explorer is fully updated by using the Windows Update service.
- Sep 21st, 2012 - Microsoft releases MS12-063. Please apply the patch ASAP!
- Sep 25th, 2012 - Make sure to check out Eric's blog post on "How to find latest IE vulnerability (CVE-2012-4969) with Nexpose"