Hash: SHA1

                         AUSCERT Security Bulletin

        An unpatched vulnerability has been identified in Internet
                            Explorer 7, 8 and 9
                             19 September 2012


        AusCERT Security Bulletin Summary

Product:              Internet Explorer 7
                      Internet Explorer 8
                      Internet Explorer 9
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2012-4969  
Member content until: Thursday, October 18 2012

Comment: AusCERT has received reports that this vulnerability is currently
         being exploited in the wild.

Revision History:     September 19 2012: Added CVE reference number
                      September 18 2012: Initial Release


        A serious vulnerability has been identified in Internet Explorer
        versions 7, 8 and 9. While Microsoft has yet to publish an update to
        correct this issue, it appears that proof of concept code exists for 
        this vulnerability and there are reports of it being actively 
        expoloited in the wild. [1, 2]


        This vulnerability could allow for code execution within the context of 
        the Internet Explorer user if a user browses to a malicious 
        website. [3]


        At the time of publication of this bulletin, Microsoft has yet to 
        release a patch to correct this issue. It is advised that 
        administrators consider mitigating this risk via a number of methods:
        * A pre-defined list of "business related Internet sites" can be used 
        to reduce the surface exposure of Internet Explorer. If the list of 
        business-critical URLs has been pre-defined in an organisation's 
        content filter, it is possible to allow users to continue using 
        internal / intranet sites, and only expose Internet Explorer to 
        trusted Internet sites. Note that compromises can occur through 
        advertisement panels even from trusted sites, however using a business 
        related sites list mitigates this threat to a large degree.
        * Where possible administrators should consider using an alternative 
        web browser until this vulnerability has been patched.
        In light of this unpatched vulnerability it is a good opportunity for 
        a timely reminder on the importance of having and adequate incident 
        response plan. For example, how can your organisation reduce the 
        effects should a vulnerability be used against you? Are users educated 
        on safe browsing practices and are you able to recover servers in a 
        timely fashion as well as other strategies that can reduce the impact 
        of a successful attack. This is not an exhaustive list, however the 
        key message is not just to try and block an attack, but to be prepared 
        to reduce the impact should an attack be successful.


        [1] Exploit Released for Zero-Day in Internet Explorer

        [2] IE Zero Day is "For Real"

        [3] IE execCommand fuction Use after free Vulnerability 0day en

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967