December 22, 2010

Two different 0-day exploits in Internet Explorer

Lei Li

Two different new zero-day exploits were published on December 22.  Remote attackers could use these exploits to take complete control of a vulnerable system. Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. Websense customers are protected by our real-time analytics in ACE.  

The first vulnerability CVE-2010-3971 targets the way Internet Explorer handles Cascaded Style Sheets (CSS). When parsing an HTML page that contains a recursive CSS import, some memory is released but later referenced and re-used, and can lead to arbitrary code execution. All Internet Explorer versions 6, 7, and 8 can be affected by this vulnerability. The effectiveness of the exploit on Internet Explorer 9 hasn't yet been verified. 

The use of built-in protections of DEP and ASLR on the Windows platform and Internet Explorer doesn't guarantee to stop the exploit. It stems from the fact that the affected DLL mscorie.dll used by Internet Explorer wasn't compiled to support ASLR - this fact allows an attacker to also bypass DEP by using ROP (return to oriented programming) and successfully exploit the system. Microsoft offers other ways to mitigate this vulnerability before a patch is released in their blog. You can find more information about the vulnerability in the security advisory released by Microsoft.


The second vulnerability tak<es advantage of the Microsoft WMI Administrative Tools ActiveX Control. Internet Explorer is vulnerable only if Microsoft WMI administrative tools is installed. The vulnerability is the result of a design flaw where the AddContextRef() and ReleaseContext() functions of the WMI Object Viewer control can be passed an object pointer that can result in arbitrary code execution. An Internet Explorer user with WBEMSingleView.ocx installed can be exploited by visiting a malicious Web page. If the ActiveX control is installed, the vulnerability can be mitigated by applying the kill biton the affected CLSID {2745E5F5-D234-11D0-847A-00C04FD7BB08}. 

Both vulnerabilities were first disclosed by WooYun.org.


Metasploit added modules for the two vulnerabilities. For more information, see MS11_xxx_ie_css_import and WMI_admintools  

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.