Microsoft Security Advisory (2887505)

ronjor · Sep 17, 2013

Vulnerability in Internet Explorer Could Allow Remote Code Execution

Published: Tuesday, September 17, 2013

Version: 1.0
General Information
Executive Summary

Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, "CVE-2013-3893 MSHTML Shim Workaround," prevents the exploitation of this issue. See the Suggested Actions section of this advisory for more information.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Click to expand...

https://technet.microsoft.com/en-us/security/advisory/2887505

ronjor · Sep 17, 2013

MSRCTeam
17 Sep 2013 10:00 AM

Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks.
Click to expand...

https://blogs.technet.com/b/msrc/ar...ecurity-advisory-2887505.aspx?Redirected=true

ronjor · Sep 17, 2013

CVE-2013-3893: Fix it workaround available
swiat
17 Sep 2013 12:35 PM

Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks. This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked from Security Advisory 2887505 that describes this issue. The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9. Here are the links to both apply and uninstall the Fix it solution:
Click to expand...

http://blogs.technet.com/b/srd/arch...-it-workaround-available.aspx?Redirected=true

harsha_mic · Sep 17, 2013

ronjor said:

CVE-2013-3893: Fix it workaround available
swiat
17 Sep 2013 12:35 PM

Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks. This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked from Security Advisory 2887505 that describes this issue. The exploit we analyzed worked only on Windows XP or Windows 7 running Internet Explorer 8 or 9. Here are the links to both apply and uninstall the Fix it solution:
Click to expand...

So, the sample they worked on was not able to expoit IE10 and IE11.

Also, I think if IE running under protected mode should be able to mitigate the issue. Isn't it.

Thanks, Harsha

anon · Sep 18, 2013

harsha_mic said:

So, the sample they worked on was not able to expoit IE10 and IE11.
Click to expand...

=

Executive Summary
Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9.
..
..
Affected Software : Internet Explorer = all versions (IE6-IE11).
https://technet.microsoft.com/en-us/security/advisory/2887505
Click to expand...

-------------------------

Also, I think if IE running under protected mode should be able to mitigate the issue. Isn't it.

Thanks, Harsha
Click to expand...

=

Mitigating Factors:
By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
Click to expand...

siljaline · Sep 19, 2013

Fix It applied:

-http://go.microsoft.com/?linkid=9838025-

Undo:
-http://go.microsoft.com/?linkid=9838026-

harsha_mic · Sep 20, 2013

7anon said:

=

-------------------------

=
Click to expand...

thanks for confirming

siljaline · Oct 1, 2013

Microsoft is scheduled to distribute its monthly patch release Oct. 8. Because the software maker has released a temporary fix for the flaw affecting all versions of IE, experts do not expect a permanent fix until the upcoming release.
Click to expand...

http://www.csoonline.com/article/740657/attacks-multiply-as-hackers-target-unpatched-ie-flaw

Also refers:
http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

Poster notes:
--------------
For those that have implemented the "Fix It" it is user choice to use the undo option.

Under all applicable OS a restore point was applied to those to used the Fix It.

For those that wish to manually remove the Fix It, it is listed in your Add/Remove Programs as: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893
Via: http://technet.microsoft.com/en-us/security/advisory/2887505

JRViejo · Oct 2, 2013

Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild. This means that cyberattacks could now surge and affect Internet Explorer users.
Click to expand...

Internet Explorer exploit release could trigger a surge in attacks by Dara Kerr.

siljaline · Oct 2, 2013

I did see that article but it cites a CVE that has not been cited elsewhere. Once we know what MS will be patching next week, it should be more reassuring to those running the exposed IE version.

siljaline · Oct 3, 2013

Despite IE exploit code in the wild, Microsoft won’t release emergency fix before this month’s Patch Tuesday

http://thenextweb.com/microsoft/201...ergency-fix-before-this-months-patch-tuesday/

Log in or Sign up

Microsoft Security Advisory (2887505)

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

harsha_mic Registered Member

anon Registered Member

siljaline Registered Member

harsha_mic Registered Member

siljaline Registered Member

JRViejo Super Moderator

siljaline Registered Member

siljaline Registered Member

Log in or Sign up

Microsoft Security Advisory (2887505)

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

harsha_mic Registered Member

anon Registered Member

siljaline Registered Member

harsha_mic Registered Member

siljaline Registered Member

JRViejo Super Moderator

siljaline Registered Member

siljaline Registered Member

Useful Searches