Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could all the execution of arbitrary code (advisory 2458511.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.

I'm still collecting more details so this will be updated as more details become available.

CVSS Base: pending
Exploit code: non-public, but reported to have attacks in the wild.
Workarounds: available
Patches: unavailable
IDS signatures: pending

Kevin Liston

292 Posts
ISC Handler
Please don't post links to the exploit code. Thanks.
Kevin Liston

292 Posts
ISC Handler
As we all know, MS offers two "Fix it" tools via http://support.microsoft.com/kb/2458511/en-us
Sadly and odd enough, Fix it 50556 (the "CSS-Fix it", MicrosoftFixit50556.msi) has an error in the LaunchCondition of the MSI file, which leeds to an "This Microsoft Fix it does not apply to your operating system or application version" error message executing the MSI file on every Windows version you're trying to install it, abording the installation of the contained user-defined CSS file for Internet Explorer. The culprit is the second LaunchCondition FIXIT_RUN <> "" to be found in the MSI file. By removing this condition, the installation will continue and work as intended (IE will launch once after the installation finished).
I've informed MS about the error yesterday. So far, no reaction. Just in case you don't feel to be able or willing to fix the issue yourself, I'm offering a fixed version of the MSI file via http://patch-info.de/IE/Downloads/MicrosoftFixit50556.msi

Bye,
Freudi
Anonymous
IE 0-day in exploit kit...
- http://thompson.blog.avg.com/2010/11/heads-up-0-day-in-an-exploit-kit.html
November 07, 2010 - "... CVE-2010-3962* is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit. This raises the stakes considerably..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3962
.
Jack

160 Posts
Without any feedback and further visible information, MS corrected "Fix it" 50556 on November 11th. They now offer the corrected Fix it via their MSKB article which is identical to that one, I've been offering for download via patch-info.de since November 7th.

Bye,
Freudi
Anonymous
Well, in the meantime MS deploys the errorness version of MicrosoftFixit50556.msi once again. Looks like someone is playing bullsh*t Bingo.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!