The said exploit, used by Nitro Gang has just made its way into Metasploit module base. You can get more details in the Metasploit blog. The exploit which affects Internet Explorer 7,8 and 9 on Windows XP, Vista and 7 can compromise the system just by visiting the malicious website. As per the Microsoft Security Advisory, IE10 on Windows 8 is not exploitable. It seems that the bug has already been patched in IE10, but has not yet back ported to older versions.
Microsoft is yet to roll out a patch for the bug. Therez been a security advisory, http://technet.microsoft.com/en-us/security/advisory/2757760. Comprehensive security update to be released on Friday.
The Microsoft Security Response Center advices to,
- Deploy Enhanced Mitigation Experience Toolkit (EMET) and
- Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones.
Also, Disable JAVA until a fix appears from MS, since Metasploit module needs JAVA at victim side to exploit the vulnerability.
If you are looking for more details see the blog post http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/, which is explained as ‘Microsoft Internet Explorer execCommand Vulnerability’ in the later post http://eromang.zataz.com/2012/09/17/microsoft-internet-explorer-execcommand-vulnerability-metasploit-demo/ seems to be a good weapon in the botmakers arsenal to compromise more and more systems for blasting more SPAM mails.
For more details visit,
Also, please read this post on krebsonsecurity.com if you are really an IE user.
UPDATE: An update has been issued by MSRC assuring a “Fix it” in the next few days, read the update on Additional information about Internet Explorer and Security Advisory 2757760
UPDATE: As promised, Microsoft has released an immediate ‘Fix it’ to address the issue. For more information read the MSRC update here http://blogs.technet.com/b/srd/archive/2012/09/19/more-information-on-security-advisory-2757760-s-fix-it.aspx. Download the ‘Fix it’ from the Microsoft Support Center http://support.microsoft.com/kb/2757760
Notes from Support Center.
- For computers that are running 64-bit operating systems, the following Fix it solution only applies to 32-bit versions of Internet Explorer.
- Before you apply this Fix it solution, you must ensure that Internet Explorer is fully updated by using the Windows Update service.
UPDATE: It seems that the ‘Fix it’ expects the mshtml.dll with latest patch, otherwise the fix wont work. So make sure the box is fully patched before applying the fix for KB2757760 and test with Metasploit module.