NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2012-097

DATE(S) ISSUED:
12/31/2012

SUBJECT:
Vulnerability in Internet Explorer Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Exploitation may occur if a user visits or is redirected to a web page which is specifically crafted to take advantage of the vulnerability. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

It should be noted that there is currently no patch available for this vulnerability and it is currently being exploited in the wild resulting in remote code execution.

Please also note that OCS received reports that the Council on Foreign Relations (CFR) website cfr.org had been compromised and a specially crafted javascript was inserted into the webpage located at "hxxp://cfr[.]org/js/js/news_123432476.html". This script has been exploiting the unpatched Internet Explorer vulnerability discussed in this advisory since December 7, 2012. If the exploitation was successful, the compromised system would connect to a subdomain of "yourtrap.com". The CFR is currently aware of the issue and have corrected their website. 

SYSTEMS AFFECTED:

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. The vulnerability exists due to the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.

Exploitation may occur if a user visits or is redirected to a web page which is specifically crafted to take advantage of this vulnerability. Successful exploitation of the vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

It should be noted that there is currently no patch available for this vulnerability and it is currently being exploited in the wild resulting in remote code execution.

Please also note that OCS received reports that the Council on Foreign Relations (CFR) website cfr.org had been compromised and a specially crafted javascript was inserted into the webpage located at "hxxp://cfr[.]org/js/js/news_123432476.html". This script has been exploiting the unpatched Internet Explorer vulnerability discussed in this advisory since December 7, 2012. If the exploitation was successful, the compromised system would connect to a subdomain of "yourtrap.com". 
The CFR is currently aware of the issue and have corrected their website. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to the most recent version of Internet Explorer immediately after appropriate testing.
  • If upgrading Internet Explorer is not feasible, consider using an alternate browser until this vulnerability is remediated.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Review your network logs for traffic to the above network indicators.  

REFERENCES: 
Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2794220
http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx
http://blogs.technet.com/b/msrc/archive/2012/12/29/microsoft-releases-security-advisory-2794220.aspx?utm_source=twitterfeed&utm_medium=twitter

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792

NextWeb:
http://thenextweb.com/microsoft/2012/12/29/criminals-use-adobe-flash-and-new-ie-vulnerability-in-targeted-attacks-ie9-and-ie10-users-are-safe/

AlienVault:
http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day/

Fireeye:
http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html