BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Another (sigh) IE Zero-Day

Post by BeyondTrust Research Team December 30, 2012

Unfortunately, the security industry was not going to escape 2012 without seeing yet another zero-day vulnerability in Microsoft’s Internet Explorer. It has been discovered that a targeted attack, leveraging a zero-day in IE, has been posed against the Council on Foreign Relations Portal. The technical origin of the flaw is as follows: the vulnerability occurs due to a CButton object being used after it is freed in mshtml!CMarkup::OnLoadStatusDone and has been assigned CVE-2012-4792. The known targeted exploit relies on both Java 1.6 and Adobe Flash (the dynamic duo of client side attack vectors, as of late) to achieve code execution on Windows 7 (as well as those still rocking Win XP, or browsing from their server OS’s) and only affects Internet Explorer 8 and lower. Also of note is that a Metasploit module for this vulnerability has been released.

Fortunately for all of us, Java 1.6 is going to be end-of-lifed in February 2013 with the release of Java SE 6 Update 39.

It is recommended that users of Java 1.6 upgrade to Java 1.7, or alternatively, simply upgrade to IE 9/10 or use Google Chrome.

Update: A Fix it solution has been supplied by Microsoft, which can be used to mitigate the attack vector until a patch is released. It can be found at http://support.microsoft.com/kb/2794220.

BeyondTrust Customers
For those customers relying on Retina CS for enterprise threat management or Retina Network for vulnerability scanning can detect this vulnerability with Audit 17920 – Microsoft Internet Explorer Remote Code Execution (Zero-Day). So run a quick scan before you put the champagne on ice for NYE.

Tags:
, , , , , ,

Leave a Reply

One Response to “Another (sigh) IE Zero-Day”

  1. January 2013 Patch Tuesday: Patches, but none for the IE 0day! | BeyondTrust

    [...] you’ve been following the security news recently, you’ll no doubt have heard of the recently disclosed Internet Explorer zero day, CVE-2012-4792, that made its rounds this last month. Well, you’ll also note that this month does [...]

    January 08, 2013 11:54:04, Reply

Additional articles

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
Tags:
, , , , ,
BI-5.1-user-asset-visibility-img

Understanding Who Has Access to What with BeyondInsight v5.1

Today, it’s my pleasure to introduce you to BeyondInsight version 5.1, the latest release of our IT Risk Management platform, which unifies several of our solutions for Privileged Account Management and Vulnerability Management. BeyondInsight v5.1 embodies BeyondTrust’s mission to give our customers the visibility they need to make smart decisions and reduce risk to their…

Post by Morey Haber April 15, 2014
Tags:
, , , , , , , , , , , ,