Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0628.2
Vulnerability in Internet Explorer Could Allow Remote Code Execution
9 May 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Internet Explorer 8
Publisher: Microsoft
Operating System: Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2013-1347
Original Bulletin:
http://technet.microsoft.com/en-us/security/advisory/2847140
http://support.microsoft.com/kb/2847140
Comment: AusCERT has received reports that this vulnerability is currently
being exploited in the wild.
Where possible administrators should consider either using an
alternative web browser until this vulnerability has been patched
or upgrading to Internet Explorer 9 or 10.
Additionally, a pre-defined list of "business related Internet
sites" can be used to reduce the surface exposure of Internet Explorer.
If the list of business-critical URLs has been pre-defined in an
organisation's content filter, it is possible to allow users to
continue using internal / intranet sites, and only expose Internet
Explorer to trusted Internet sites. Note that compromises can
occur through advertisement panels even from trusted sites, however
using a business related sites list mitigates this threat to a large
degree.
Revision History: May 9 2013: Microsoft have released a FixIT patch to resolve this issue
May 6 2013: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2847140)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: Friday, May 03, 2013
Version: 1.0
General Information
Executive Summary
Microsoft is investigating public reports of a vulnerability in Internet
Explorer 8. Microsoft is aware of attacks that attempt to exploit this
vulnerability.
Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet
Explorer 10 are not affected by the vulnerability.
This is a remote code execution vulnerability. The vulnerability exists in the
way that Internet Explorer accesses an object in memory that has been deleted
or has not been properly allocated. The vulnerability may corrupt memory in a
way that could allow an attacker to execute arbitrary code in the context of
the current user within Internet Explorer. An attacker could host a specially
crafted website that is designed to exploit this vulnerability through
Internet Explorer and then convince a user to view the website.
On completion of this investigation, Microsoft will take the appropriate
action to protect our customers, which may include providing a solution
through our monthly security update release process, or an out-of-cycle
security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections
Program (MAPP) to provide information that they can use to provide broader
protections to customers. In addition, we are actively working with partners
to monitor the threat landscape and take action against malicious sites that
attempt to exploit this vulnerability.
Microsoft continues to encourage customers to follow the guidance in the
Microsoft Safety & Security Center of enabling a firewall, applying all
software updates, and installing antimalware software.
Mitigating Factors:
By default, Internet Explorer on Windows Server 2003, Windows Server 2008,
and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced
Security Configuration. This mode mitigates this vulnerability.
By default, all supported versions of Microsoft Outlook, Microsoft Outlook
Express, and Windows Mail open HTML email messages in the Restricted sites
zone. The Restricted sites zone, which disables script and ActiveX controls,
helps reduce the risk of an attacker being able to use this vulnerability to
execute malicious code. If a user clicks a link in an email message, the user
could still be vulnerable to exploitation of this vulnerability through the
web-based attack scenario.
An attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who operate
with administrative user rights.
In a web-based attack scenario, an attacker could host a website that contains
a webpage that is used to exploit this vulnerability. In addition, compromised
websites and websites that accept or host user-provided content or
advertisements could contain specially crafted content that could exploit this
vulnerability. In all cases, however, an attacker would have no way to force
users to visit these websites. Instead, an attacker would have to convince
users to visit the website, typically by getting them to click a link in an
email message or Instant Messenger message that takes users to the attacker's
website.
Affected Software
Windows XP Service Pack 3 Internet Explorer 8
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 8
Windows Server 2003 Service Pack 2 Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 8
Windows Vista Service Pack 2 Internet Explorer 8
Windows Vista x64 Edition Service Pack 2 I Internet Explorer 8
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
Workarounds
Apply the Microsoft Fix it solution, "CVE-2013-1347 MSHTML Shim Workaround",
that prevents exploitation of this issue
See Microsoft Knowledge Base Article 2847140 to use the automated Microsoft Fix
it solution to enable or disable this workaround.
Deploy the Enhanced Mitigation Experience Toolkit
The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the
exploitation of this vulnerability by adding additional protection layers that
make the vulnerability harder to exploit.
At this time, EMET is provided with limited support and is only available in
the English language. For more information, see Microsoft Knowledge Base
Article 2458544.
For more information about configuring EMET, see the EMET User's Guide:
On 32-bit systems the EMET User's Guide is located in
C:\Program Files\EMET\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in
C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Configure EMET for Internet Explorer from the EMET user interface
To add iexplore.exe to the list of applications using EMET, perform the
following steps:
Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and
EMET 3.0.
Click Yes on the UAC prompt, click Configure Apps, then select Add.
Browse to the application to be configured in EMET.
On 64-bit versions of Microsoft Windows, the paths to 32-bit and x64
installations of Internet Explorer are:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
On 32-bit versions of Microsoft Windows, the path to Internet Explorer
is
C:\Program Files\Internet Explorer\iexplore.exe
Click OK and exit EMET.
Configure EMET for Internet Explorer from a command line
Opt in Internet Explorer to all EMET 3.0 mitigations
On 64-bit systems, for 32-bit installations of IE run the following
from an elevated command prompt:
"c:\Program Files (x86)\EMET\EMET_Conf.exe" --set
"c:\Program Files (x86)\Internet Explorer\iexplore.exe"
And on 64-bit systems, for x64 installations of IE run the following
from an elevated command prompt:
"c:\Program Files (x86)\EMET\EMET_Conf.exe" --set
"c:\Program Files\Internet Explorer\iexplore.exe"
On 32-bit systems, for 32-bit installations of IE run the following
from an elevated command prompt:
"c:\Program Files\EMET\EMET_Conf.exe" --set
"c:\Program Files\Internet Explorer\iexplore.exe"
If you have completed this successfully, the following message appears:
"The changes you have made may require restarting one or more
applications"
If the application has already been added in EMET, the following
message appears:
Error: "c:\Program Files (x86)\Internet Explorer\iexplore.exe"
conflicts with existing entry for
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
For more information regarding running EMET_Conf.exe, see the command
line help by running the following from a command prompt.
On 32-bit systems:
"C:\Program Files\EMET\EMET_Conf.exe" /?
On 64-bit systems:
"C:\Program Files (x86)\EMET\EMET_Conf.exe" /?
Configure EMET for Internet Explorer using Group Policy
EMET can be configured using Group Policy. For information about configuring
EMET using Group Policy, see the EMET User's Guide:
On 32-bit systems the EMET User's Guide is located in
C:\Program Files\EMET\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in
C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Note For more information about Group Policy, see Group Policy collection.
Set Internet and Local intranet security zone settings to "High" to block
ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of this vulnerability by changing
your settings for the Internet security zone to block ActiveX controls and
Active Scripting. You can do this by setting your browser security to High.
To raise the browsing security level in Internet Explorer, perform the
following steps:
On the Internet Explorer Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab, and then
click Internet.
Under Security level for this zone, move the slider to High. This sets
the security level for all websites you visit to High.
Click Local intranet.
Under Security level for this zone, move the slider to High. This sets
the security level for all websites you visit to High.
Click OK to accept the changes and return to Internet Explorer.
Note If no slider is visible, click Default Level, and then move the slider
to High.
Note Setting the level to High may cause some websites to work incorrectly.
If you have difficulty using a website after you change this setting, and
you are sure the site is safe to use, you can add that site to your list of
trusted sites. This will allow the site to work correctly even with the
security setting set to High.
Impact of workaround. There are side effects to blocking ActiveX Controls
and Active Scripting. Many websites that are on the Internet or on an
intranet use ActiveX or Active Scripting to provide additional
functionality. For example, an online e-commerce site or banking site may
use ActiveX Controls to provide menus, ordering forms, or even account
statements. Blocking ActiveX Controls or Active Scripting is a global
setting that affects all Internet and intranet sites. If you do not want to
block ActiveX Controls or Active Scripting for such sites, use the steps
outlined in "Add sites that you trust to the Internet Explorer Trusted
sites zone".
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to block ActiveX controls and Active
Scripting in the Internet zone and in the Local intranet zone, you can add
sites that you trust to the Internet Explorer Trusted sites zone. This will
allow you to continue to use trusted websites exactly as you do today,
while helping to protect yourself from this attack on untrusted sites. We
recommend that you add only sites that you trust to the Trusted sites zone.
To do this, perform the following steps:
In Internet Explorer, click Tools, click Internet Options, and then
click the Security tab.
In the Select a web content zone to specify its current security
settings box, click Trusted Sites, and then click Sites.
If you want to add sites that do not require an encrypted channel,
click to clear the Require server verification (https:) for all sites
in this zone check box.
In the Add this website to the zone box, type the URL of a site that
you trust, and then click Add.
Repeat these steps for each site that you want to add to the zone.
Click OK two times to accept the changes and return to Internet
Explorer.
Note Add any sites that you trust not to take malicious action on your
system. Two in particular that you may want to add are
*.windowsupdate.microsoft.com and *.update.microsoft.com. These are the
sites that will host the update, and it requires an ActiveX Control to
install the update.
Configure Internet Explorer to prompt before running Active Scripting or to
disable Active Scripting in the Internet and Local intranet security zone
You can help protect against exploitation of this vulnerability by changing
your settings to prompt before running Active Scripting or to disable Active
Scripting in the Internet and Local intranet security zone. To do this,
perform the following steps:
In Internet Explorer, click Internet Options on the Tools menu.
Click the Security tab.
Click Internet, and then click Custom Level.
Under Settings, in the Scripting section, under Active Scripting,
click Prompt or Disable, and then click OK.
Click Local intranet, and then click Custom Level.
Under Settings, in the Scripting section, under Active Scripting,
click Prompt or Disable, and then click OK.
Click OK two times to return to Internet Explorer.
Note Disabling Active Scripting in the Internet and Local intranet
security zones may cause some websites to work incorrectly. If you have
difficulty using a website after you change this setting, and you are sure
the site is safe to use, you can add that site to your list of trusted
sites. This will allow the site to work correctly.
Impact of workaround. There are side effects to prompting before running
Active Scripting. Many websites that are on the Internet or on an intranet
use Active Scripting to provide additional functionality. For example, an
online e-commerce site or banking site may use Active Scripting to provide
menus, ordering forms, or even account statements. Prompting before running
Active Scripting is a global setting that affects all Internet and intranet
sites. You will be prompted frequently when you enable this workaround. For
each prompt, if you feel you trust the site that you are visiting, click Yes
to run Active Scripting. If you do not want to be prompted for all these
sites, use the steps outlined in "Add sites that you trust to the Internet
Explorer Trusted sites zone".
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to require a prompt before it runs ActiveX
controls and Active Scripting in the Internet zone and in the Local
intranet zone, you can add sites that you trust to the Internet Explorer
Trusted sites zone. This will allow you to continue to use trusted websites
exactly as you do today, while helping to protect you from this attack on
untrusted sites. We recommend that you add only sites that you trust to the
Trusted sites zone.
To do this, perform the following steps:
In Internet Explorer, click Tools, click Internet Options, and then
click the Security tab.
In the Select a web content zone to specify its current security
settings box, click Trusted Sites, and then click Sites.
If you want to add sites that do not require an encrypted channel,
click to clear the Require server verification (https:) for all sites
in this zone check box.
In the Add this website to the zone box, type the URL of a site that
you trust, and then click Add.
Repeat these steps for each site that you want to add to the zone.
Click OK two times to accept the changes and return to Internet
Explorer.
Note Add any sites that you trust not to take malicious action on your
system. Two in particular that you may want to add are
*.windowsupdate.microsoft.com and *.update.microsoft.com. These are the
sites that will host the update, and it requires an ActiveX Control to
install the update.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
Daniel Caselden of FireEye for reporting the Internet Explorer Use After
Free Vulnerability (CVE-2013-1347)
iSIGHT Partners for working with us on the Internet Explorer Use After
Free Vulnerability (CVE-2013-1347)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUYsOXe4yVqjM2NGpAQJrig/9GRxiennRhZgQXTN4PHXeU+t6eKZO+4Un
qgJQ9NL/le6ka6iBvMJmGYuEkFX3RldgppbIu4HY4l7o9ZbwUa4lMgFwbruDy99d
XXefrGsDkNpNhFKStFPH2V7pOudaMRRfiav5wS6sMPRbYD2Ng6Wn3hnJSr7g79vy
dcK2F4eHNvXuA2cb3JRAo0T8lFG31JXqG949OcJ7y0DdVND4EiigV+eK/5J+a8B/
okzIVFfeV5mm2wEHyDccZCjKl8WmHurHLwurHnnUgtx+yurvz6fe8Q4LEaLWA4/u
NfXoDHXD9rZdijiPUe6bLqdSXXEPjAO4CI9KZt68Pu5H6+cNg8A37gWnQk9cWEzs
lyhm08gUtuWIWtDQCm97+O3brZfQ+8lrplbDeNyx+LOjTGW5J4EupTX6TxSGGF+b
C5+XyhzryCzFe936Xt2wnpDx1mILwQ8rblHT1BlBqUh7x5beN0Iro4GGSDogUJUi
grqtoF7Cul+UHiNlxaoifhPiNlYUt8/QIGOq3Yp3YbPceSbCGS8BJPrx4Q6fCIBx
vGu7qY5La9AsUoaweP9ffxa7LI3PWTyP69dJN7AOW1SvQraTehZe/OUdLqMD8dxp
9yAohGZTxGcbRAV3Wvm5RtHI4LfVBwkkC9EzexvChY865qtcmESDimLSw8meMJua
+FF9sH+xCjw=
=6d2l
-----END PGP SIGNATURE-----