-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2013.0628.2
   Vulnerability in Internet Explorer Could Allow Remote Code Execution
                                9 May 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Internet Explorer 8
Publisher:         Microsoft
Operating System:  Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
                   Windows Server 2008 R2
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2013-1347  

Original Bulletin: 
   http://technet.microsoft.com/en-us/security/advisory/2847140
   http://support.microsoft.com/kb/2847140

Comment: AusCERT has received reports that this vulnerability is currently
         being exploited in the wild.
               
         Where possible administrators should consider either using an 
         alternative web browser until this vulnerability has been patched
         or upgrading to Internet Explorer 9 or 10.
                  
         Additionally, a pre-defined list of "business related Internet
         sites" can be used to reduce the surface exposure of Internet Explorer.
         If the list of business-critical URLs has been pre-defined in an 
         organisation's content filter, it is possible to allow users to 
         continue using internal / intranet sites, and only expose Internet 
         Explorer to trusted Internet sites. Note that compromises can
         occur through advertisement panels even from trusted sites, however
         using a business related sites list mitigates this threat to a large 
         degree.

Revision History:  May 9 2013: Microsoft have released a FixIT patch to resolve this issue
                   May 6 2013: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory (2847140) 
Vulnerability in Internet Explorer Could Allow Remote Code Execution

Published: Friday, May 03, 2013

Version: 1.0 

General Information 

Executive Summary

Microsoft is investigating public reports of a vulnerability in Internet 
Explorer 8. Microsoft is aware of attacks that attempt to exploit this 
vulnerability.

Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet 
Explorer 10 are not affected by the vulnerability.

This is a remote code execution vulnerability. The vulnerability exists in the
way that Internet Explorer accesses an object in memory that has been deleted
or has not been properly allocated. The vulnerability may corrupt memory in a
way that could allow an attacker to execute arbitrary code in the context of 
the current user within Internet Explorer. An attacker could host a specially
crafted website that is designed to exploit this vulnerability through 
Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate 
action to protect our customers, which may include providing a solution 
through our monthly security update release process, or an out-of-cycle 
security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections 
Program (MAPP) to provide information that they can use to provide broader 
protections to customers. In addition, we are actively working with partners 
to monitor the threat landscape and take action against malicious sites that 
attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the guidance in the 
Microsoft Safety & Security Center of enabling a firewall, applying all 
software updates, and installing antimalware software.

Mitigating Factors:

By default, Internet Explorer on Windows Server 2003, Windows Server 2008,
and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced
Security Configuration. This mode mitigates this vulnerability. 

By default, all supported versions of Microsoft Outlook, Microsoft Outlook 
Express, and Windows Mail open HTML email messages in the Restricted sites 
zone. The Restricted sites zone, which disables script and ActiveX controls, 
helps reduce the risk of an attacker being able to use this vulnerability to 
execute malicious code. If a user clicks a link in an email message, the user 
could still be vulnerable to exploitation of this vulnerability through the 
web-based attack scenario. 

An attacker who successfully exploited this vulnerability could gain the same 
user rights as the current user. Users whose accounts are configured to have 
fewer user rights on the system could be less impacted than users who operate 
with administrative user rights. 

In a web-based attack scenario, an attacker could host a website that contains 
a webpage that is used to exploit this vulnerability. In addition, compromised 
websites and websites that accept or host user-provided content or 
advertisements could contain specially crafted content that could exploit this
vulnerability. In all cases, however, an attacker would have no way to force 
users to visit these websites. Instead, an attacker would have to convince 
users to visit the website, typically by getting them to click a link in an 
email message or Instant Messenger message that takes users to the attacker's
website.

Affected Software 

Windows XP Service Pack 3					Internet Explorer 8
Windows XP Professional x64 Edition Service Pack 2		Internet Explorer 8
Windows Server 2003 Service Pack 2				Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2			Internet Explorer 8
Windows Vista Service Pack 2					Internet Explorer 8
Windows Vista x64 Edition Service Pack 2	I		Internet Explorer 8
Windows Server 2008 for 32-bit Systems Service Pack 2		Internet Explorer 8
Windows Server 2008 for x64-based Systems Service Pack 2	Internet Explorer 8
Windows 7 for 32-bit Systems Service Pack 1			Internet Explorer 8
Windows 7 for x64-based Systems Service Pack 1			Internet Explorer 8
Windows Server 2008 R2 for x64-based Systems Service Pack 1	Internet Explorer 8
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1	Internet Explorer 8

Workarounds

Apply the Microsoft Fix it solution, "CVE-2013-1347 MSHTML Shim Workaround", 
that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2847140 to use the automated Microsoft Fix 
it solution to enable or disable this workaround.

Deploy the Enhanced Mitigation Experience Toolkit

The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the 
exploitation of this vulnerability by adding additional protection layers that
make the vulnerability harder to exploit.

At this time, EMET is provided with limited support and is only available in 
the English language. For more information, see Microsoft Knowledge Base 
Article 2458544.

For more information about configuring EMET, see the EMET User's Guide:
        On 32-bit systems the EMET User's Guide is located in 
        C:\Program Files\EMET\EMET User's Guide.pdf
        On 64-bit systems the EMET User's Guide is located in 
        C:\Program Files (x86)\EMET\EMET User's Guide.pdf

Configure EMET for Internet Explorer from the EMET user interface

To add iexplore.exe to the list of applications using EMET, perform the 
following steps:

	Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and 
	EMET 3.0.
        Click Yes on the UAC prompt, click Configure Apps, then select Add. 
	Browse to the application to be configured in EMET.
	
        On 64-bit versions of Microsoft Windows, the paths to 32-bit and x64 
	installations of Internet Explorer are:

        C:\Program Files (x86)\Internet Explorer\iexplore.exe

        C:\Program Files\Internet Explorer\iexplore.exe

        On 32-bit versions of Microsoft Windows, the path to Internet Explorer 
	is

        C:\Program Files\Internet Explorer\iexplore.exe

        Click OK and exit EMET.

Configure EMET for Internet Explorer from a command line
        Opt in Internet Explorer to all EMET 3.0 mitigations
        On 64-bit systems, for 32-bit installations of IE run the following 
	from an elevated command prompt:

        "c:\Program Files (x86)\EMET\EMET_Conf.exe" --set 
	"c:\Program Files (x86)\Internet Explorer\iexplore.exe"

        And on 64-bit systems, for x64 installations of IE run the following
	from an elevated command prompt:

        "c:\Program Files (x86)\EMET\EMET_Conf.exe" --set 
	"c:\Program Files\Internet Explorer\iexplore.exe"

        On 32-bit systems, for 32-bit installations of IE run the following 
	from an elevated command prompt:

        "c:\Program Files\EMET\EMET_Conf.exe" --set 
	"c:\Program Files\Internet Explorer\iexplore.exe"

        If you have completed this successfully, the following message appears:

        "The changes you have made may require restarting one or more
	applications"

        If the application has already been added in EMET, the following 
	message appears:

        Error: "c:\Program Files (x86)\Internet Explorer\iexplore.exe" 
	conflicts with existing entry for 
	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

        For more information regarding running EMET_Conf.exe, see the command 
	line help by running the following from a command prompt.

        On 32-bit systems:

        "C:\Program Files\EMET\EMET_Conf.exe" /?

        On 64-bit systems:

        "C:\Program Files (x86)\EMET\EMET_Conf.exe" /?

Configure EMET for Internet Explorer using Group Policy

EMET can be configured using Group Policy. For information about configuring 
EMET using Group Policy, see the EMET User's Guide:
        On 32-bit systems the EMET User's Guide is located in 
	C:\Program Files\EMET\EMET User's Guide.pdf
        On 64-bit systems the EMET User's Guide is located in 
	C:\Program Files (x86)\EMET\EMET User's Guide.pdf

Note For more information about Group Policy, see Group Policy collection.
     
Set Internet and Local intranet security zone settings to "High" to block 
ActiveX Controls and Active Scripting in these zones

You can help protect against exploitation of this vulnerability by changing 
your settings for the Internet security zone to block ActiveX controls and 
Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, perform the 
following steps:

        On the Internet Explorer Tools menu, click Internet Options.
        In the Internet Options dialog box, click the Security tab, and then 
	click Internet.
        Under Security level for this zone, move the slider to High. This sets 
	the security level for all websites you visit to High.
        Click Local intranet.
        Under Security level for this zone, move the slider to High. This sets 
	the security level for all websites you visit to High.
        Click OK to accept the changes and return to Internet Explorer.

    Note If no slider is visible, click Default Level, and then move the slider 
    to High.

    Note Setting the level to High may cause some websites to work incorrectly. 
    If you have difficulty using a website after you change this setting, and 
    you are sure the site is safe to use, you can add that site to your list of
    trusted sites. This will allow the site to work correctly even with the 
    security setting set to High.

    Impact of workaround. There are side effects to blocking ActiveX Controls 
    and Active Scripting. Many websites that are on the Internet or on an 
    intranet use ActiveX or Active Scripting to provide additional 
    functionality. For example, an online e-commerce site or banking site may 
    use ActiveX Controls to provide menus, ordering forms, or even account 
    statements. Blocking ActiveX Controls or Active Scripting is a global 
    setting that affects all Internet and intranet sites. If you do not want to
    block ActiveX Controls or Active Scripting for such sites, use the steps 
    outlined in "Add sites that you trust to the Internet Explorer Trusted 
    sites zone".

    Add sites that you trust to the Internet Explorer Trusted sites zone

    After you set Internet Explorer to block ActiveX controls and Active 
    Scripting in the Internet zone and in the Local intranet zone, you can add 
    sites that you trust to the Internet Explorer Trusted sites zone. This will
    allow you to continue to use trusted websites exactly as you do today, 
    while helping to protect yourself from this attack on untrusted sites. We 
    recommend that you add only sites that you trust to the Trusted sites zone.

    To do this, perform the following steps:
        In Internet Explorer, click Tools, click Internet Options, and then 
        click the Security tab.
        In the Select a web content zone to specify its current security 
        settings box, click Trusted Sites, and then click Sites.
        If you want to add sites that do not require an encrypted channel, 
        click to clear the Require server verification (https:) for all sites 
        in this zone check box.
        In the Add this website to the zone box, type the URL of a site that 
        you trust, and then click Add.
        Repeat these steps for each site that you want to add to the zone.
        Click OK two times to accept the changes and return to Internet 
        Explorer.

    Note Add any sites that you trust not to take malicious action on your 
    system. Two in particular that you may want to add are 
    *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the 
    sites that will host the update, and it requires an ActiveX Control to 
    install the update.

     
    Configure Internet Explorer to prompt before running Active Scripting or to
    disable Active Scripting in the Internet and Local intranet security zone

    You can help protect against exploitation of this vulnerability by changing 
    your settings to prompt before running Active Scripting or to disable Active
    Scripting in the Internet and Local intranet security zone. To do this, 
    perform the following steps:
        In Internet Explorer, click Internet Options on the Tools menu.
        Click the Security tab.
        Click Internet, and then click Custom Level.
        Under Settings, in the Scripting section, under Active Scripting, 
        click Prompt or Disable, and then click OK.
        Click Local intranet, and then click Custom Level.
        Under Settings, in the Scripting section, under Active Scripting, 
        click Prompt or Disable, and then click OK.
        Click OK two times to return to Internet Explorer.

    Note Disabling Active Scripting in the Internet and Local intranet 
    security zones may cause some websites to work incorrectly. If you have 
    difficulty using a website after you change this setting, and you are sure 
    the site is safe to use, you can add that site to your list of trusted 
    sites. This will allow the site to work correctly.

    Impact of workaround. There are side effects to prompting before running 
    Active Scripting. Many websites that are on the Internet or on an intranet 
    use Active Scripting to provide additional functionality. For example, an 
    online e-commerce site or banking site may use Active Scripting to provide
    menus, ordering forms, or even account statements. Prompting before running 
    Active Scripting is a global setting that affects all Internet and intranet 
    sites. You will be prompted frequently when you enable this workaround. For 
    each prompt, if you feel you trust the site that you are visiting, click Yes
    to run Active Scripting. If you do not want to be prompted for all these 
    sites, use the steps outlined in "Add sites that you trust to the Internet 
    Explorer Trusted sites zone".

    Add sites that you trust to the Internet Explorer Trusted sites zone

    After you set Internet Explorer to require a prompt before it runs ActiveX 
    controls and Active Scripting in the Internet zone and in the Local 
    intranet zone, you can add sites that you trust to the Internet Explorer 
    Trusted sites zone. This will allow you to continue to use trusted websites 
    exactly as you do today, while helping to protect you from this attack on 
    untrusted sites. We recommend that you add only sites that you trust to the
    Trusted sites zone.

    To do this, perform the following steps:
        In Internet Explorer, click Tools, click Internet Options, and then 
        click the Security tab.
        In the Select a web content zone to specify its current security 
        settings box, click Trusted Sites, and then click Sites.
        If you want to add sites that do not require an encrypted channel, 
        click to clear the Require server verification (https:) for all sites 
        in this zone check box.
        In the Add this website to the zone box, type the URL of a site that 
        you trust, and then click Add.
        Repeat these steps for each site that you want to add to the zone.
        Click OK two times to accept the changes and return to Internet 
        Explorer.

    Note Add any sites that you trust not to take malicious action on your 
    system. Two in particular that you may want to add are 
    *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the 
    sites that will host the update, and it requires an ActiveX Control to 
    install the update.

Other Information
Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

    Daniel Caselden of FireEye for reporting the Internet Explorer Use After 
    Free Vulnerability (CVE-2013-1347)
    iSIGHT Partners for working with us on the Internet Explorer Use After 
    Free Vulnerability (CVE-2013-1347)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUYsOXe4yVqjM2NGpAQJrig/9GRxiennRhZgQXTN4PHXeU+t6eKZO+4Un
qgJQ9NL/le6ka6iBvMJmGYuEkFX3RldgppbIu4HY4l7o9ZbwUa4lMgFwbruDy99d
XXefrGsDkNpNhFKStFPH2V7pOudaMRRfiav5wS6sMPRbYD2Ng6Wn3hnJSr7g79vy
dcK2F4eHNvXuA2cb3JRAo0T8lFG31JXqG949OcJ7y0DdVND4EiigV+eK/5J+a8B/
okzIVFfeV5mm2wEHyDccZCjKl8WmHurHLwurHnnUgtx+yurvz6fe8Q4LEaLWA4/u
NfXoDHXD9rZdijiPUe6bLqdSXXEPjAO4CI9KZt68Pu5H6+cNg8A37gWnQk9cWEzs
lyhm08gUtuWIWtDQCm97+O3brZfQ+8lrplbDeNyx+LOjTGW5J4EupTX6TxSGGF+b
C5+XyhzryCzFe936Xt2wnpDx1mILwQ8rblHT1BlBqUh7x5beN0Iro4GGSDogUJUi
grqtoF7Cul+UHiNlxaoifhPiNlYUt8/QIGOq3Yp3YbPceSbCGS8BJPrx4Q6fCIBx
vGu7qY5La9AsUoaweP9ffxa7LI3PWTyP69dJN7AOW1SvQraTehZe/OUdLqMD8dxp
9yAohGZTxGcbRAV3Wvm5RtHI4LfVBwkkC9EzexvChY865qtcmESDimLSw8meMJua
+FF9sH+xCjw=
=6d2l
-----END PGP SIGNATURE-----