UPDATE ALERT Internet Explorer: Execute Arbitrary Code/Commands -- Remote with User Interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2012.0128.2
        An unpatched vulnerability has been identified in Internet
                            Explorer 7, 8 and 9
                             19 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Internet Explorer 7
                      Internet Explorer 8
                      Internet Explorer 9
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2012-4969  
Member content until: Thursday, October 18 2012

Comment: AusCERT has received reports that this vulnerability is currently
         being exploited in the wild.

Revision History:     September 19 2012: Added CVE reference number
                      September 18 2012: Initial Release

OVERVIEW

        A serious vulnerability has been identified in Internet Explorer
        versions 7, 8 and 9. While Microsoft has yet to publish an update to
        correct this issue, it appears that proof of concept code exists for 
        this vulnerability and there are reports of it being actively 
        expoloited in the wild. [1, 2]


IMPACT

        This vulnerability could allow for code execution within the context of 
        the Internet Explorer user if a user browses to a malicious 
        website. [3]


MITIGATION

        At the time of publication of this bulletin, Microsoft has yet to 
        release a patch to correct this issue. It is advised that 
        administrators consider mitigating this risk via a number of methods:
        
        * A pre-defined list of "business related Internet sites" can be used 
        to reduce the surface exposure of Internet Explorer. If the list of 
        business-critical URLs has been pre-defined in an organisation's 
        content filter, it is possible to allow users to continue using 
        internal / intranet sites, and only expose Internet Explorer to 
        trusted Internet sites. Note that compromises can occur through 
        advertisement panels even from trusted sites, however using a business 
        related sites list mitigates this threat to a large degree.
        
        * Where possible administrators should consider using an alternative 
        web browser until this vulnerability has been patched.
        
        In light of this unpatched vulnerability it is a good opportunity for 
        a timely reminder on the importance of having and adequate incident 
        response plan. For example, how can your organisation reduce the 
        effects should a vulnerability be used against you? Are users educated 
        on safe browsing practices and are you able to recover servers in a 
        timely fashion as well as other strategies that can reduce the impact 
        of a successful attack. This is not an exhaustive list, however the 
        key message is not just to try and block an attack, but to be prepared 
        to reduce the impact should an attack be successful.


REFERENCES

        [1] Exploit Released for Zero-Day in Internet Explorer
            http://krebsonsecurity.com/2012/09/exploit-released-for-zero-day-in-internet-explorer/

        [2] IE Zero Day is "For Real"
            https://isc.sans.edu/diary/IE+Zero+Day+is+For+Real+/14107

        [3] IE execCommand fuction Use after free Vulnerability 0day en
            http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUFk57O4yVqjM2NGpAQJjzw//e6AZES0cVdMNSsZI/wd14v0dCI28DK/u
rIehcBIL+X06kKU1OhDNw7RhCZOr4XGgpuTaxf0/yUsLSbmBmDgKIwuSenTvOKIl
9zdBSpYEi3yDskn4yaerutnh463IMJiT7BsxqUPu/Uouq8ThcEJwSHZ8j4f50PqD
rn/IT41F1CC1f5PNq4XJof6uCHW9pE53QaAJquulkhdLkzD4eNZ41VusPHxI6U8Y
lqHr8r0loueRFRfS8JpsQ6iyF7Lqrc87N38gKdUajvWYb4otGxPMpZ+2ow2sHToc
HURP3qPU43w2Yirwp38osrlN6nHzm3ZaQ2nk8NBGD5A04RoygjsDjOA56+VVmhta
tDYNM2/xKueip1uZZSwrpmL19ka9CtUXa0iFLTwEkGczH9rnHZBGFmximnxDdYWr
y08xva7gh6dvPybulXtw2jTXQJsMyXGy2Zet+4POY7E975wF1ux9jnzqnMjuESPK
DBxBW4Wt1Xu3rY/4ic/whBMMTJFnY1JU2quPiE4/5ecPIkiOpTV+GKNZL6QXBiub
TVxogHhlQghyFaGSfLWF+mUi+siYrBI0N5LRLDeVGcv5Fg09trFg9nzNpah/tIrk
7fVxNLIUWRwJPcXzz7s9o0F2Ns9tgSF2hayOtTs83zrFRXOyBdQtfxui0HGXefq9
Tn8KSKW0zTk=
=beyd
-----END PGP SIGNATURE-----