The recent major vulnerability CVE-2013-0027 flooded almost all versions of Microsoft Internet Explorer and affected operating systems like Windows XP, Vista, 7, and 8, including all the major server versions too. Some thirteen privately reported vulnerabilities were recently resolved in a security bulletin by Microsoft.
The vulnerability, now marked as critical for Internet Explorer 6, 7, 8, 9 and 10, allowed remote code execution if a user tried to view a specially crafted web page using those versions of IE. As disclosed by Microsoft, an attacker could gain the same user privileges as the current user on the successful exploitation of the vulnerability, which triggers due to improper memory operations performed by IE when handling the crafted HTML content. Also, if the current user had administrator privileges, the attacker could compromise the whole system.
For successful exploitation, a malicious user may trick a normal user to go to a malicious site, using instructions, probably even phishing, to actually make the user click that particular link. The malicious site would contain HTML code that fails in maintaining the proper reference count of an object, causing the vulnerability. Due to this incorrect reference count, an attacker would be able to force the freeing of an object currently in use. He could then reallocate the memory previously allocated for the freed object to contain an attacker controlled data. This ultimately results in remote code execution when the freed object was later accessed. The vulnerability may then allow access of deleted or previously removed memory objects, ending in a use after free error and memory corruption.
This recent hack actually complemented the previously released patches in MS12-063, which also had remote code execution vulnerabilities.
CVSSv2 Base Score = 9.3
This particular vulnerability has a CVSS rating of 9.3, which is quite high. According to Microsoft Security Bulletin MS13-009, the remediation to the vulnerability is an automatic update using a security patch released by Microsoft. Computer administrators are further warned to alert users running ActiveX content to adjust security settings to High or disable ActiveX for more secure zones. It’s also recommended that they use Microsoft Baseline Security Analyzer tool to scan for security issues and misconfigurations. Users, on the other hand, are advised not to click on links unless and until they are from a verified entity.
On similar lines, we had various CVEs like CVE-2013-0018, which allowed remote attackers to execute arbitrary code through a crafted website that triggered access to a deleted object, known as the IE Set Capture Use After Free Vulnerability. CVE-2013-0019 – CVE-2013-0029 were similarly using the same use after free vulnerability in different modules like CHTML, CobjectElement, InsertElement, SlayoutRun etc.
The exploit for MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free vulnerability has been released by Metasploit and is available on ExploitDb as well. Here is the code for this exploit: