Wednesday, November 3, 2010

CVE-2010-3962 - yet another Internet Explorer RCE

Update - November, 12 2010:
Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day
http://community.websense.com/blogs/securitylabs/archive/2010/11/10/Amnesty-International-Hong-Kong-Website-Injected-With-Latest-Internet-Explorer-0_2D00_day-.aspx


Update - November, 5 2010:
CVE-2010-3962 - BindShell proof of concept:
http://www.offensive-security.com/0day/ie-0day.txt

Metasploit Module
https://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb

More on the IE 0-day - Hupigon Joins The Party
http://blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html



Update - November, 4 2010:
the memory corruption proof of concept is (place the following code as is within a HTML file):





(From: http://twitter.com/yuange1975/status/29593742541)

Microsoft Internet Explorer CSS "clip" Attribute Memory Corruption
http://www.vupen.com/english/advisories/2010/2880


November, 3 2010:
New IE 0-Day used in Targeted Attacks
http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks

The issue seem related to a "use after free" bug when are parsed some CSS tags sequence.
Once of the implicated malware seem a Backdoor.Pirpi variant.

Other links:
Incidents.org
http://isc.sans.edu/diary.html?storyid=9874

Microsoft Security Advisory 2458511 (workaround included)
http://www.microsoft.com/technet/security/advisory/2458511.mspx

No comments:

Post a Comment