Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unpatched vulnerability in Internet Explorer 8 & 9 being used by attackers


  • Please log in to reply
25 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:49 PM

Posted 18 September 2013 - 08:56 AM

Microsoft announced yesterday that an unpatched vulnerability in Internet Explorer has been discovered and is currently being used by attackers to exploit affected computers. This vulnerability is currently found in all supported versions of Internet Explorer and allows remote attackers to perform remote code execution on your computer.  Microsoft has stated that there is currently a patch in development and have released a Fix It as a stopgap until the patch is ready.

As discussed in Microsoft Security Advisory (2887505), this is a remote code execution vulnerability, which means that attackers can run programs and execute commands on an exploited computer.  Attackers typically exploit this vulnerability by hacking web sites and introducing exploit code on the web site. When visitors then visit this web site their browsers will execute the exploit code, which will then cause specific commands or actions to be executed as dictated by the attackers exploit code.  This could include downloading programs, install or starting infections, or other behavior.

As there is no available patch for this exploit, Microsoft has released a Fix It titled CVE-2013-3893 MSHTML Shim Workaround, which prevents the exploitation of this vulnerability. All users of Internet Explorer should immediately install this Fix It until a patch is available or use a different browser for the interim.


BC AdBot (Login to Remove)

 


#2 Enriqe

Enriqe

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 AM

Posted 18 September 2013 - 12:08 PM

I have always kept the remote user thing disabled on my computer .... would this help in situations like this?

 

By the way ... thank you for the warning as i do use IE.


Edited by Enriqe, 18 September 2013 - 12:10 PM.


#3 JoanneMT

JoanneMT

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:49 PM

Posted 18 September 2013 - 01:03 PM

Thank you too, Grinler for posting the warning.  I ran the workaorund this morning and ended up with two instances of CVE programs that won't go away.  I seldom use explorer since the warning about its "lame duck" status. Here is the report I gave to Microsoft:

 

I have had the CVE-2012 program installed since the Java exploit last year. I was removing Java from my PC and then a "fix/workaround" called JavaRe came out which I used.  I have been stuck with CVE 2012-4792 since then. Now, since I've run your workaround, I also have CVE 2013-3693 in my Add/Remove programs that refuses to be uninstalled. I've done everything I can to remove Java, but occasionally I see it called by a website I am working on. I am still running XP SP3.

 

BTW, I am using Mozilla Firefox. Is that a good choice over Google Chrome?  I am going to have to upgrade my hardware as I have 3 desktops that are crowding my office.  My HP machine got hammered and I've lost my files and my backups, and was advised to take it to a shop, install a new hard drive, have them recover my lost files, and then reinstall the operating system. I don't want to spend any more money on these dinosaurs since my e-machine seems to be working ok.

 

Any recomendations on where to go from here?  I've considered an IPod or the less expensive smaller laptop with a fold out keyboard, and use flash drives to store my data and pictures.  I am not sure I feel comfortable with the "Cloud" backups since now I'm paranoid about everything...

 

Thank you for reading and any advice you would like to share.



#4 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:07:49 PM

Posted 18 September 2013 - 10:48 PM

I take it that Internet Explorer 10.0.9200.16686IS is not part of the exploit am I correct?

 

 

BTW, thanks for the heads up! :thumbup2:

 

Bruce.


Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 45 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:


#5 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:49 PM

Posted 19 September 2013 - 08:06 AM

I take it that Internet Explorer 10.0.9200.16686IS is not part of the exploit am I correct?

 

The advisory states "all supported versions" and lists IE6-11 (yes, 11).  They say they are aware of it being used in 8 and 9.

 

Damage is worse if the user is running as Administrator.



#6 herbman

herbman

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 19 September 2013 - 11:24 PM

Can turning off IE make a difference or using the 0.0.0.0 and 80 in proxy do anything because i don't use IE either but was told to keep it operational since it's intertwined in the Windows system and disabling can cause unreliable computer performance at times.

 

Thank you



#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:49 PM

Posted 20 September 2013 - 07:56 AM

If you do not use IE, you do not have to worry about this bug.



#8 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:07:49 PM

Posted 20 September 2013 - 10:35 AM

The advisory states "all supported versions" and lists IE6-11 (yes, 11).  They say they are aware of it being used in 8 and 9.

 

Damage is worse if the user is running as Administrator.

 

Thank you, appreciate your reply on that information.

 

Yup, I'm using IE to reply to this, even though I have both Firefox and chrome installed.. Go figure huh?

 

Bruce.


Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 45 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:


#9 herbman

herbman

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 20 September 2013 - 11:26 AM

If you do not use IE, you do not have to worry about this bug.

 

 

I thought that if it was not disabled i was prone to exploits but it's as long as i don't use it that is key.  Interesting and thank you



#10 bknaka

bknaka

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 21 September 2013 - 02:02 AM

Even if you guys don't use IE, the connections still run through it.

#11 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:03:49 PM

Posted 21 September 2013 - 01:51 PM

Please explain how that works, if I don't have IE open? I don't see how an application can be used if it is not enabled?

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#12 herbman

herbman

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 22 September 2013 - 09:34 PM

Please explain how that works, if I don't have IE open? I don't see how an application can be used if it is not enabled?

 

 

 

Yes please do .



#13 JoanneMT

JoanneMT

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:49 PM

Posted 24 September 2013 - 11:37 AM

Maybe bknaka refers to windows updates using IE?  I'm paranoid about "remote code execution" - so does that mean malware cannot execute code that is not executing?  One of my computers crashed all the way to just a few entries on the C: drive. (D was still there) and I saw a folder name, empty, of a program called muvee that was on the machine gifted to me. I had used Revo to get rid of it, and was surprised to see a filename still there, so deep in the drive.  I need help putting it back together, where can I ask questions?

 

bknaka is new here so probably forgot to check back. 

 

Thank you



#14 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:11:49 PM

Posted 25 September 2013 - 04:45 PM

Please explain how that works, if I don't have IE open? I don't see how an application can be used if it is not enabled?

Whilst I don't agree with bknaka's wording ("the connections still run through it.") code distributed with IE is widely used by the rest of Windows and so this needs to be considered as part of the risk assessment attached to any IE vulnerability. The issue could be in some IE only code, or in a shared component distribued with IE. The advisiory does not explicitly say whether the vulnerability is in a shared component or not, but there are some hints that it is.

 

The title of the "Fix-it" workaround "CVE-2013-3893 MSHTML Shim Workaround" suggests thet the mshtml component could be implicated ("could be" as the advisory gives no information about the vulnerabilty other than a couple of hints gleaned from the workarounds and mitigations described). Additionally the article explains the HTML formatted email in Outlook, Outlook Express or Windows Mail is opened in the restricted zone (which provides the mitigation) - This too suggests that MSHTML is the problem. This would be invoked from those mail clients and would not need IE to be explicity opened by the user.

 

Of course MSHTML is widely used elsewhere in Windows but execution of arbitary code is much less likely in the other places that it is used.

 

The MS article list as a mitigation that an attacker would need to lure a victim to a mailiciosly crafted site. I don't think that is really a mitigation as a person could visit a website run by someone they trust, but get infected because the site itself has been hacked and infected.

 

Roll on October's patch Tuesday!



#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:49 PM

Posted 25 September 2013 - 08:33 PM

Yes, if its a shared component and you can trick another app that uses the shared component to go to a hacked page that contains the exploit, then possibly you may get infected. As you can see this requires a lot of steps rather than would occur if you were just browsing with the browser.

Regardless, better off using the Fix It to be safe.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users