On Monday, we released a Security Advisory on CVE-2012-4969, a vulnerability in Internet Explorer. A Fix it was released on Wednesday, and a cumulative update is also now available as of today, Friday morning. The vulnerability affects Internet Explorer versions 6 through 9.

We have identified that this vulnerability is being used to infect computers by installing malware on them. The exploitation method has an intricate way of getting the payload on the affected machine. A diagram of the "infection chain" is depicted below:

The infection chain of CVE-2012-4969

As you can see, the infection starts when the specially crafted webpage (detected as Exploit:Win32/CVE-2012-4969.C) is loaded into a vulnerable version of Internet Explorer. This webpage loads a malicious SWF (Adobe Shockwave Flash) file which we detect as Exploit:SWF/ShellCode.G. This SWF file is encrypted using a commercial packer to evade detection, and will try to load another webpage, which checks if your computer is vulnerable to the exploit and exploit it. This second webpage is detected as Exploit:Win32/CVE-2012-4969.A

If the exploitation is successful, a shellcode runs which downloads a malicious payload from a remote server. The payload is detected as Backdoor:Win32/Poison.BR.

How to protect yourself?

We released both a one-click, easy-to-use Fix it tool and a cumulative update for Internet Explorer that incorporates the Fixit code and fully addresses the CVE.

You can also deploy the Enhanced Mitigation Experience Toolkit (EMET), which provides mitigations to help protect against this issue and should not affect the usability of websites.

And lastly, you can also:

  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

Setting security zone settings

  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones

For server users/administrators, who use Windows Server 2003, 2008 and 2008 R2, make sure that Enhanced Security Configuration is in place to help mitigate the vulnerability.

More information about this vulnerability, including details on how to update, can be found in the bulletin.

Conclusion

Zero-day attacks are never pleasant, but developers are fighting hard to keep the number to a minimum. We've seen fewer 0-day vulnerabilities over the last few years, so I would say we're on the right track. The quick release of security updates or specially designed tools also helps minimize users' exposure to these kinds of attacks. One example of a special tool is EMET (the Enhanced Mitigation Experience Toolkit), which is at its third version now and can be downloaded from here.

Daniel Chipiristeanu
MMPC