MA-221.032010 : MyCERT Alert - Critical Vulnerability in Microsoft Internet Explorer

Date of publication: 2010-03-10

1.0 Introduction

A critical vulnerability (CVE-2010-0806) has been identified in the Microsoft Internet Explorer web browser. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system. This vulnerability caused by user-after-free error in the Internet Explorer Peer Objects module "iepeers.dll" when processing certain data.

Essentially, an attacker can trick users into clicking on a URL, which has been sent via e-mail, and this will direct the users to a specially crafted web page containing the exploit.

MyCERT is aware that a '0-day' exploit is available on the internet at the time of the publication of this advisory.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
• Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
• Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
• Internet Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
• Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
• Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround if they need to use Microsoft Internet Explorer:

4.1 Enable Data Execution Prevention (DEP) for Internet Explorer. Microsoft Security Response Center has created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems. The Microsoft Fix It can be obtained from the following URL:
http://support.microsoft.com/kb/981374 

4.2 Upgrade to Internet Explorer 8 to benefit from its increased protections. In addition, users should continue to follow Microsoft .Protect Your Computer. guidance at http://www.microsoft.com/protect. Internet Explorer 8 is available at the following URL: http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx 

4.3 Disable Active Script support in the browser. Active Script can be disabled by referring to the following steps:

• On the Tools menu, click Internet Options
  
  
  

• Click the Security tab, choose Internet zone and click on Custom Level
  
  
  

• Disable the Active Scripting and click OK
  
  
  

4.4 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.

4.5 Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file.

4.6 Consider using alternative web browsers to browse the Internet. Please make sure you use the latest version and stay up-to-date as well.

MyCERT would like to advise the users of Microsoft Internet Explorer to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:
http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html 

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:
http://secunia.com/vulnerability_scanning/personal/ 

MyCERT can be reached through the following channels for further assistance:
E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/981374.mspx
• http://www.vupen.com/english/advisories/2010/0567 
• http://www.securityfocus.com/bid/38615