7 Replies Latest reply on Sep 24, 2012 8:30 AM by Regis

    Internet Explorer vulnerability covered by McAfee???

    Daniel_S

      Hey guys,

       

      wondering if someone can tell me if the newly discovered IE vulnerabiltiy and the exploits using it are discovered by the newest VSE 8.8 Patch2 Version?

      Couldn´t find an official post by McAfee but think it´s an important thing to know as, at least here in germany, all media is speaking about it.

       

      Regards

      Dan

        • 1. Re: Internet Explorer vulnerability covered by McAfee???
          trippy20877

          Dan

           

          I called my platinum support earlier today and I was told McAfee is calling the exploit "exploit-IEexecCommand". They had a beta dat out Monday (http://blogs.mcafee.com/network-security/never-ending-0day-story) but that exploit has since been added to dat 6839. If you check the release notes for dat 6839 you will see "exploit-IEexecCommand" was added to new detections and now moved to enhanced for dat 6840. As it was explained to me McAfee can now stop what would come down to the system via that exploit. But you still need to patch IE when a patch is released to make sure nothing can use the exploit.

          • 2. Re: Internet Explorer vulnerability covered by McAfee???
            Daniel_S

            Thanks for sharing that info.

            • 3. Re: Internet Explorer vulnerability covered by McAfee???

              The coverage is more extensive than that,  Security Advisory MTIS12-147 is McAfee's write-up, and under coverage, they note that they expect this vuln to be mitigated by Buffer Overflow Protection on VSE 8.x

               

              McAfee MTISs are well hidden on the website, otherwise I'd directly link to it.

              • 4. Re: Internet Explorer vulnerability covered by McAfee???
                rmetzger

                mjmurra wrote:

                 

                McAfee MTISs are well hidden on the website, otherwise I'd directly link to it.

                If it is Publicly available (meaning that anyone could find and read) why not directly link it?

                 

                [rant]

                McAfee? Why haven't you made this document Easily found along with the other MTIS documents ( https://community.mcafee.com/community/security/gti/mtis?view=overview ) and make your analysis widely available. Why should I have to wait and search for hidden Security Advisories?

                 

                If it is only available to a select group, at least let us know that and refer them to an explanation. I have been looking for this document for 3 days, and it has Not been made available to me anyway. My customers are asking questions of Me about this.

                 

                They use VSE and I expect more than vague references to hidden advisories.

                 

                McAfee, lets get it together and Publish (Make Public) this Advisory.

                [/rant]

                 

                Thanks for listening,

                Ron Metzger

                • 5. Re: Internet Explorer vulnerability covered by McAfee???

                  You can subscribe to them here: http://www.mcafee.com/apps/mcafee-labs/signup.aspx

                   

                  Here's the  write-up,

                   

                  Microsoft Internet Explorer Use-After-Free exCommand Heap Stray Code Execution
                  MTIS12-147-A

                  IMPORTANCE:

                  High

                  COVERED PRODUCTS:

                  DAT | BOP | Host IPS | Network Security Platform |
                  Web Gateway | Application Control

                  UNDER ANALYSIS:

                  Remediation Manager | Policy Auditor SCAP | MNAC 2.x | Firewall Enterprise


                  Back to top

                  THREAT DETAILS

                  Microsoft Internet Explorer Use-After-Free exCommand Heap Stray Code ExecutionMTIS12-147-A

                  THREAT IDENTIFIER(S)

                  MS 2757760; M72739

                  THREAT TYPE

                  Vulnerability

                  RISK ASSESSMENT

                  High

                  MAIN THREAT VECTORS

                  Web; E-Mail

                  USER INTERACTION REQUIRED

                  Yes

                  DESCRIPTION

                  A code execution vulnerability exists in some versions of Microsoft Internet Explorer. Exploitation is achieved via a maliciously-crafted SWF file. Users are lured to a malicious site containing the SWF file. Further processing drops 111.exe which presents as a Autodesk FLIC image file. The actual shellcode was xor?ed with opcode 0xE2, and it also use hook hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW and kernel32!WinExec etc, and hook hopping technique is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a trojan from a remote server.

                  IMPORTANCE

                  High. On September 17, details of this vulnerability were disclosed. Functional exploit code has been observed in in-the-wild attacks.

                  MCAFEE PRODUCT COVERAGE

                     DAT FILES

                  Coverage for know exploit binaries is provided as "Exploit-IEexecCommand" in the current Beta DAT release. This coverage will be included in a future full DAT release. Beta DAT downloads are available at - http://www.mcafee.com/apps/mcafee-labs/beta/dat-file-updates.aspx.

                     VIRUS SCAN ENTERPRISE SCAN BOP

                  Generic buffer overflow protection is expected to cover code-execution exploits.

                     HOST IPS

                  Specific coverage is provided by signatures 6013 and 6048 ("Suspicious Function Invocation - CALL Not Found" / "Suspicious Function Invocation - Different Stack"). Both 6013 and 6048 were released in September 2011. Generic buffer overflow protection is expected to cover code-execution exploits.

                     NETWORK SECURITY PLATFORM

                  Coverage is provided in the USD release of September 17, 2012 ("UDS-HTTP: Microsoft internet Explorer Use-After-Free exCommand Heap Stray Code Execution").

                     VULNERABILITY MANAGER

                  Coverage will be provided in the FSL/MVM release of September 17.

                     WEB GATEWAY

                  Coverage for know exploit binaries is provided as "Exploit-IEexecCommand" in the current Beta DAT release. This coverage will be included in a future full DAT release. Beta DAT downloads are available at - http://www.mcafee.com/apps/mcafee-labs/beta/dat-file-updates.aspx.

                     REMEDIATION MANAGER

                  Under analysis

                     POLICY AUDITOR

                  Under analysis

                     NETWORK ACCESS CONTROL

                  Under analysis

                     FIREWALL ENTERPRISE

                  Under analysis

                     APPLICATION CONTROL

                  Run-Time Control locks down systems and provides protection in the form of Execution Control and Memory Protection.

                     DATABASE ACTIVITY MONITORING

                  Out of scope

                     VULNERABILITY MANAGER FOR DATABASES

                  Out of scope

                  ADDITIONAL INFORMATION

                  Microsoft: Vulnerability in Internet Explorer Could Allow Remote Code Execution US-CERT: Microsoft Internet Explorer 7/8/9 contain a use-after-free vulnerability Eric Romang: Zero-Day Season Is Really Not Over Yet McAfee Labs Blog: Never Ending 0day Story

                  • 6. Re: Internet Explorer vulnerability covered by McAfee???
                    dnf

                    So I guess if I look for threat name "exploit-IEexecCommand" I could know how many computers had the problem with that threat.

                    • 7. Re: Internet Explorer vulnerability covered by McAfee???
                      Regis

                      As someone with a penetration tester background, and a non-Mcafee voice here, I feel obliged to stress that signature based detections are rather easily bypassed.   Just because McAfee has a detection for the default metasploit payload, or a few variants of the exploit seen in the wild doesn't mean you are adequately protected.   

                       

                      APPLY THE INTERNET EXPLORER PATCH that Microsoft has released, or block all Internet surfing from an Internet Explorer user agent are the only ways to really handle this one.  It's a big big deal.  Yes, IPS and AV signatures do help against script kiddies who don't know how to use re-encoding options in Metasploit, and VSE 8.8 buffo protections can be somewhat useful assuming a healthy VSE 8.8 installation, but they are no excuse not to close the hole and apply the Microsoft provided patch. 

                       

                      Cheers,

                      Regis

                       

                      Message was edited by: Regis on 9/24/12 8:30:07 AM CDT