Microsoft Releases Out-Of-Band IE Zero-Day Patch


As expected, Microsoft today released a cumulative update for Internet Explorer addressing the zero-day vulnerability in the browser being actively exploited in the wild. Security Update MS 12-063 patches not only the critical remote-execution zero-day, but four other vulnerabilities privately disclosed to Microsoft that are not being exploited.

The most critical vulnerability is the execCommand Use After Free flaw in IE versions 6-9. The vulnerability occurs because of a faulty way in which IE access objects in memory that have not been deleted or properly allocated. Successful exploits will give the attacker the same privileges as the user.

Exploits were discovered this week by a pair of research teams. Eric Romang, a Metasploit contributor, found the first last weekend while monitoring servers infected by a pair of recent Java zero-day exploits. Romang found a pair of HTML pages, an executable and a Flash movie file that triggers the executable when a user lands on one of the malicious HTML pages. The first exploit dropped the PoisonIvy remote access Trojan.

A few days later, researcher Jamie Blasco at AlienVault found three more exploits, including one that dropped the PlugX RAT. All of these exploits are tied to Nitro, a hacker group in China. The three latest exploits all target defense contractors in either the United States or India. Blasco had evidence within his research that these three exploits were built before the release of the Metasploit module and was able to tie them to Nitro because he found files named after a video game character from Warlock: Master of the Arcane; other files tied to previously tied to Nitro were similarly named.

Microsoft responded in stages throughout the week, first recommending several workarounds, before making a FixIt solution available that would temporarily mitigate the vulnerability until today’s patch was available. Microsoft announced it would release today’s patch late Wednesday night.