Not too long ago, HD Moore was interviewed by eSecurity Planet looking back Microsoft's security over 2012. He made a very interesting remark about the trend of Microsoft vulnerabilities:
"It seems like the market for Windows vulnerabilities has burned up most of the easy-to-find bugs, and the folks who would normally report the big ones are keeping them private..."
Today, just when we think we get to relax a little bit after a year of hard work, we are once again reminded by another Microsoft Internet Explorer 0-day about that fact, which also marks the end of 2012. The skies did not fall, the machines did not rise... but hey, guess what, I think private 0-days will.
The December 0-day (CVE-2012-4792) was first spotted and publicly disclosed by FireEye, and this is the story: Sometime in December, Council on Foreign Relations (CFR)'s website was compromised, and then began hosting malicious content from there. The 0day exploit was written to target English, Chinese (China & Taiwan), Japanese, Korean and Russian-based Windows users. Who would usually visit the CFR website? Please feel free to guess. If you are using IE9 or IE10, today's is your lucky day, because you are not vulnerable to this. For those who are using older versions of IE such as 8 -- what's the matter with you?
According to Net Market Share, these vulnerable IEs still make up about ~33% of the browser market share, with IE8 still being the most popular IE browser.
Thanks to our Metasploit contributors Eric Romang and Mahmud ab rahman (and of course, @binjo's fantastic writeup about the vulnerability), we quickly re-examined the root cause of the use-after-free, and then porting the exploit was as simple as applying our own browser exploit template, and running Corelan's pre-release WinDBG Mona exploit dev tool:
And finally, the initial version of the exploit is ready to serve the public. Here's an example of our Metasploit exploit in action:
Please note that our exploit may be updated when necessary, but you can always find it here:
If your computer is vulnerable to this flaw, there is currently no official patch, but here are some recommendations you may consider:
- Use EMET.
- Upgrade your Internet Explorer (I heard IE 10 is pretty safe according to Microsoft)
- If you're super cautious, you can always switch to a different browser such as Google Chrome.
We DO NOT recommend using an anti-virus product as an effective mitigation, as the following example demonstrates it's possible you still could be attacked without your AV ever knowing (even with OBFUSCATE set to false):
In addition, here's Microsoft's official advisory for CVE-2012-4792 that you should read:
If you'd like to try out this Metasploit module to better validate your network's defenses, please feel free to download Metasploit from here. If you habitually use Metasploit Framework, you can just run msfupdate now to obtain it. If you're a Metasploit Pro user, you will see this module in the upcoming update.
Dec 29th, 2012 - Metasploit releases exploit for CVE-2012-4792
Dec 29th, 2012 - Microsoft releases security advisory 2794220
Dec 31st, 2012 - Microsoft releases fix-it solution (KB2794220)
Jan 14th, 2013 - Microsoft releases MS13-008