Executive Summary

Summary
Title Microsoft Internet Explorer CButton use-after-free vulnerability
Informations
Name VU#154201 First vendor Publication 2012-12-29
Vendor VU-CERT Last vendor Modification 2013-01-14
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#154201

Microsoft Internet Explorer CButton use-after-free vulnerability

Original Release date: 29 Dec 2012 | Last revised: 14 Jan 2013

Overview

Microsoft Internet Explorer contains a use-after-free vulnerability in the CButton object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of the attacker.

This vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets. Other proof-of-concept exploits are publicly available that do not use heap spraying.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code.

Solution

Apply an Update

Microsoft has released MS13-008 to address this vulnerability. Users should run Windows Update to receive the patch. If a user is unable to update, please consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Apply the Microsoft Fix It

Microsoft has provided a "Fix it" patch that causes Internet Explorer to safely crash if this vulnerability is attempted to be exploited, rather than resulting in code execution. Please see the Microsoft SRD blog entry for more details. Note that Windows must be fully-patched for the Fix it to be effective. There is also a report that the Fix it is insufficient to completely address the vulnerability.

Disable the Flash ActiveX control in Internet Explorer

While it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break some exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {D27CDB6E-AE6D-11cf-96B8-444553540000}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    "Compatibility Flags"=dword:00000400
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    "Compatibility Flags"=dword:00000400
Disable Java in Internet Explorer

While it does not address the underlying vulnerability in Internet Explorer, disabling Java may break some exploits. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

Vendor Information (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal9.0E:H/RL:W/RC:UR
Environmental9.0CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://technet.microsoft.com/en-us/security/bulletin/ms13-008
  • http://technet.microsoft.com/en-us/security/advisory/2794220
  • http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx
  • http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx
  • http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/
  • http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/
  • http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/
  • http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html
  • http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day
  • http://support.microsoft.com/kb/2458544
  • http://www.youtube.com/watch?v=28_LUs_g0u4
  • http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable

Credit

This vulnerability was described by Eric Romang and FireEye.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2012-4792
  • Date Public:28 Dec 2012
  • Date First Published:29 Dec 2012
  • Date Last Updated:14 Jan 2013
  • Document Revision:42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/154201

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:16361
 
Oval ID: oval:org.mitre.oval:def:16361
Title: Internet Explorer Use After Free Vulnerability - MS13-008
Description: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
Family: windows Class: vulnerability
Reference(s): CVE-2012-4792
Version: 5
Platform(s): Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Microsoft Internet Explorer 6
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

SAINT Exploits

Description Link
Internet Explorer CButton Use After Free Vulnerability More info here

ExploitDB Exploits

id Description
2013-01-02 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability

Snort® IPS/IDS

Date Description
2016-04-28 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 38364 - Revision : 2 - Type : BROWSER-IE
2016-04-28 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 38363 - Revision : 1 - Type : BROWSER-IE
2014-01-10 Gong Da exploit kit possible jar download
RuleID : 27706 - Revision : 3 - Type : EXPLOIT-KIT
2014-01-10 Gong Da exploit kit Java exploit requested
RuleID : 27705 - Revision : 3 - Type : EXPLOIT-KIT
2014-01-10 Gong Da exploit kit Java exploit requested
RuleID : 27704 - Revision : 3 - Type : EXPLOIT-KIT
2014-01-10 Gong Da exploit kit plugin detection
RuleID : 27703 - Revision : 2 - Type : EXPLOIT-KIT
2014-01-10 Gong Da exploit kit landing page
RuleID : 27702 - Revision : 3 - Type : EXPLOIT-KIT
2014-01-10 Gong Da Jar file download
RuleID : 27701 - Revision : 2 - Type : EXPLOIT-KIT
2014-01-10 Blackholev2 exploit kit JNLP request
RuleID : 27070 - Revision : 2 - Type : EXPLOIT-KIT
2014-01-10 Blackholev2 exploit kit landing page - specific structure
RuleID : 27067 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 iFramer injection - specific structure
RuleID : 26617 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Multiple exploit kit successful redirection - jnlp bypass
RuleID : 26541 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 iFramer injection - specific structure
RuleID : 26540 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit java payload detection
RuleID : 26512 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Sakura exploit kit redirection structure
RuleID : 26511 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit pdf payload detection
RuleID : 26510 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Multiple exploit kit java payload detection
RuleID : 26509 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit landing page - specific structure
RuleID : 26507 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit jar file redirection
RuleID : 26506 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious jar download
RuleID : 26256 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit redirection page
RuleID : 26254 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit MyApplet class retrieval
RuleID : 26229 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit redirection page
RuleID : 26228 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit Portable Executable download
RuleID : 26056 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 26055 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 26054 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 26053 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 26052 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious jar file download
RuleID : 26051 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit SWF file download
RuleID : 26050 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit EOT file download
RuleID : 26049 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit PDF exploit
RuleID : 26048 - Revision : 8 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit redirection structure
RuleID : 26047 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit landing page
RuleID : 26046 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Gong Da exploit kit redirection page received
RuleID : 26013 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit Portable Executable download
RuleID : 25968 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25967 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25966 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25965 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25964 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit SWF file download
RuleID : 25963 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit EOT file download
RuleID : 25962 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit former location - has been removed
RuleID : 25960 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25959 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25958 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25957 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious class file download
RuleID : 25956 - Revision : 6 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious jar file download
RuleID : 25955 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit SWF file download
RuleID : 25954 - Revision : 8 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit landing page
RuleID : 25953 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit landing page
RuleID : 25952 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit EOT file download
RuleID : 25951 - Revision : 7 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit PDF exploit
RuleID : 25950 - Revision : 8 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit java exploit retrieval
RuleID : 25862 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit java exploit retrieval
RuleID : 25861 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit landing page
RuleID : 25860 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit malicious jar file download
RuleID : 25859 - Revision : 8 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit Java exploit download
RuleID : 25858 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10 Cool exploit kit PDF exploit
RuleID : 25857 - Revision : 9 - Type : EXPLOIT-KIT
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25235 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25234 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25134 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25133 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25132 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25131 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25130 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25129 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25128 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25127 - Revision : 4 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25126 - Revision : 3 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted button use after free attempt
RuleID : 25125 - Revision : 4 - Type : BROWSER-IE

Nessus® Vulnerability Scanner

Date Description
2013-01-14 Name : The remote host is affected by a code execution vulnerability.
File : smb_nt_ms13-008.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Date Informations
2020-05-23 13:17:15
  • Multiple Updates
2016-06-29 01:31:20
  • Multiple Updates
2014-02-17 12:07:32
  • Multiple Updates
2013-01-23 13:23:30
  • Multiple Updates
2013-01-15 00:21:22
  • Multiple Updates
2013-01-15 00:19:18
  • Multiple Updates
2013-01-11 21:24:34
  • Multiple Updates
2013-01-11 21:22:32
  • Multiple Updates
2013-01-05 05:19:43
  • Multiple Updates
2013-01-05 05:17:57
  • Multiple Updates
2013-01-05 00:21:08
  • Multiple Updates
2013-01-05 00:19:20
  • Multiple Updates
2013-01-04 21:20:37
  • Multiple Updates
2013-01-04 21:18:03
  • Multiple Updates
2013-01-03 17:21:45
  • Multiple Updates
2013-01-03 17:20:03
  • Multiple Updates
2013-01-01 00:20:22
  • Multiple Updates
2013-01-01 00:18:38
  • Multiple Updates
2012-12-31 21:20:31
  • Multiple Updates
2012-12-31 17:19:22
  • Multiple Updates
2012-12-30 21:19:15
  • Multiple Updates
2012-12-30 17:17:34
  • Multiple Updates
2012-12-29 17:17:31
  • First insertion