

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7 - turnersr
https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit

======
dguido
This title is a bit misleading. This exploit will not be able to fully exploit
anyone running on Vista or Windows 7, since Internet Explorer renderers run in
low integrity processes on those operating systems (essentially, they are
sandboxed). No one has released a second exploit that would escalate
privileges outside of this sandbox.

If you are running IE on Windows XP and you've taken no other steps to protect
yourself (like running EMET, SandboxIE, or another mitigation), then it's your
own damn fault that you got owned. On the other hand, take a look at how many
exploits for IE that Rapid7/Metasploit has that support Windows 7: 0.

~~~
fjarlq
Are you sure about that?

The article specifically states that on Windows 7 the attacker obtains the
privileges of the current user.

Microsoft's advisory agrees:

<http://technet.microsoft.com/en-us/security/advisory/2757760>

 _"The vulnerability may corrupt memory in a way that could allow an attacker
to execute arbitrary code in the context of the current user within Internet
Explorer."_

What's more, most people run with administrator privileges on Windows
7/Vista/XP because that's the default.

~~~
dguido
Yes, I'm sure that my analysis was correct. IE8+ on Vista+ run IE renderer's
in Low Integrity, which means read-only access. It's not possible to further
compromise (ie, install malware) on the exploited machine without a second
exploit that escalates integrity levels to medium.

------
givan
Computers can get compromised _simply by visiting a malicious website_ Since
_Microsoft has not released a patch for this vulnerability yet_ , Internet
users are strongly advised to switch to other browsers.

The long release cycle of internet explorer is a very big problem for ie
users, unfortunately most of them don't even now what a browser is.

~~~
greenyoda
The long release cycle for new versions of IE is irrelevant. Internet Explorer
security patches get pushed regularly through Windows Update, which Microsoft
encourages users to set up for automatic installation. So this problem will
get fixed for the average user as soon as Microsoft sends out the patch. It
requires no more knowledge than updating Chrome does.

Note that I'm not recommending that anybody use IE. I'm just pointing out that
it does get automatic updates, just like other browsers.

~~~
thaumaturgy
True, but there is an important difference between Chrome background updates
and Windows Updates: Windows Updates are easy to disable, and, in our
experience, frequently are disabled by users for various reasons.

Users find that they hate trying to reboot (or start up) one day and then wait
for 30 minutes while their computer does nothing more than display a "Now
installing update 3 (of 30)..." screen. (This is especially obnoxious on big
Windows Server installations where this process can take a server down for an
entire weekend.) Or they hate being nagged all the time that there are updates
available. Or they hate having their computer insist every five to ten minutes
that it needs to be restarted now. Or they're gun-shy about it because an
update once changed the layout of Windows Live Mail and left them completely
confused about why it was suddenly so different even though they hadn't
changed anything.

In one fun case, we had a corporate client disable automatic updates for their
entire research lab because one night Windows update decided it needed to
automatically reboot every single system there. They were running overnight
experiments and came in the next morning to find that all of the night's data
was missing or corrupted, costing them a day on a tight schedule.

Microsoft does software updates in a very, very wrong way, and that means that
a rather large number of people think it's better to just ignore the updates.

~~~
com2kid
Windows Update is very configurable, both through AD policies and on a per
user basis. If a machine shouldn't be auto-updating, set it to manual
reminders. Plain and simple.

As for updates, in my experience they are generally small and fast to install
once you have gotten over the initial update push of a clean Windows
installation.

And of course in domains, you can setup custom update roll outs, no need to
use MS's update servers.

Finally, for servers, install the OS onto an SSD. Updates will take seconds.
Problem solved.

While it would be nice if more components could update without restarts (and I
think people forget how much better things are now than they used to be!), the
fact is every major piece of software out there requires restarts to install
updates. Of course there are awesome-cool Linux and other OSs that do not
require restarts (IBM obviously has had that tech for ages, really cool
stuff), but with how Windows is designed (back-compat first), that isn't
likely coming any time soon.

I've also had long running work disrupted by Windows update. The simple
solution was to check "Ask before installation". Problem solved.

(And to be honest, Browser restarts are just as troubling to me now days as
rebooting my entire PC!)

~~~
thaumaturgy
Everything you said is technically correct, and helpful to some people, but it
doesn't change the fact that most users opt to simply disable automatic
updates in one fashion or another. Manual updates, and "download-but-
don't-install" are both different from the Chrome example, and in both cases,
will cause IE to not be immediately patched for all of its users even once
Microsoft pushes an update for it.

And, if I may push back just a little bit more: "install an SSD" should
ideally never, ever be a serious solution to the problem of software updates.
I'd like to think that I'd have the good grace to be completely embarrassed if
I ran a software company that had advocates telling other people that my long
update process could be "solved" by installing an SSD.

Not that you're technically wrong.

~~~
cooldeal
>but it doesn't change the fact that most users opt to simply disable
automatic updates in one fashion or another

Most people disable auto updates? Do you have a reference for that or is that
just your personal anecdote? Most people and PCs I've been auto update. Normal
users don't even care to take the time to find out if they can be disabled.

You can only force users so much. Installing updates and restarting is a
default and people who go out of their way to prevent it deserve to take some
responsibility, it's their machine after all, not Microsoft's nor yours. If
Windows forced everyone to update and restart automatically without a way to
turn it off, a lot of people will raise hell over it. Some people don't like
even browsers autoupdating under them.

------
dj_axl
More explanation here: [http://www.ehackingnews.com/2012/09/new-zero-day-ie-
exploit-...](http://www.ehackingnews.com/2012/09/new-zero-day-ie-exploit-
metasploit-module.html)

------
recursive
Could someone who understands them explain the screenshots to me like I was 5?
I'm familiar with ruby, internet explorer, and virtual machines, but I can not
make any sense of these images.

~~~
burlyscudd
He's running a web server process w/ Metasploit, configured to serve/run the
exploit module. Then he issues a GET request to the server w/ the affected
browser and gets a session in Metasploit (framework). The screenshots are
basically proof showing that the session (connection to compromised machine w/
high-level/root access) has been created.

~~~
xtdx
It's not root access. It's access as whatever user was running the browser.

~~~
Ntrails
Ignoring that most users run their main windows login as administrator, if we
pretend it's just a guest account, how much of an impediment would that to
them disrupting any anti-virus and installing a some malware?

~~~
xtdx
Are you asking if anybody has a 0day windows kernel exploit? Or if lots of
users are going to click okie dokie when the uac prompt comes up?

I'd say yes and yes.

------
dkroy
Resistance is futile. It is time to assimilate, download chrome.

------
jneal
Can't say I'm ever surprised when exploits like this pop up, but it's
definitely valuable to know. I don't use IE nor manage users on IE so I know
I'm fine, but those of you out there using it or managing users that use it
should probably take this as an opportunity to re-educate users on security
best practices including email attachments and visiting unfamiliar websites.

Also important to note that some websites you may be familiar with could
become compromised and attack-code added within iFrames is very common, so
it's best to just not use IE at all until a patch is released.

------
Zenst
www.google.com/chrome dont leave 127.0.0.1 without it.

I find packaging up 0-day's into point-click downloads for metaspliot and the
likes akin to giving a small child a loaded gun, but thats me I guess. Will
only encourage the digital-vandals (media calls them hackers, bless).

~~~
burlyscudd
In addition to giving security professionals tools to see how vulnerable their
infrastructure is to real-world attacks, releasing exploits like this actually
creates significant pressure for vendors to patch vulnerable software.

Take the recent Java 1.7 vuln (3 weeks or so ago). Oracle released a patch 4
days after that exploit was rolled into Metasploit. I'm sure they'll tell you
that's a coincidence, but it's still nice to see happen completely out-of-band
from their normal patch process. Word around the campfire is that Oracle knew
of that vuln for months w/out a patch. Then along comes big bad Metasploit and
you've got a patch for everyone on Java 1.7. I call that a win.

~~~
Zenst
Oh your dead right, but security profesionals have access to less public
sources of tools and testing abilities, just don't have to be so easily
accessable for those who could perhaps fail at unpacking a tar file.

As for embarassing the vendor and highlighting there sloppyness, well there
may be some millage in that. Though you would of thought vendors were a little
bit more proactive.

Still it's out there now and in that evolution is a wonderous thing to behold
at work, some will learn and some will not.

------
RutZap
I sure hope this exploit gets a lot of attention, in this way most people will
understand the importance of upgrading their browser and thus... we, web
developers, will not have to support crappy browsers (IE7 I'm looking at you!)
:D

------
propercoil
wow this is so big it makes my head spin.. most def the new ms08-067

~~~
ohashi
ms08-067 you could simply attack the host and root it though. This requires
you get them to click a link and assume they are using a vulnerable browser.

~~~
projct
Could pretty easily combine it with XSS or otherwise compromised ad servers /
web servers.

