On December 21 unknown hackers successfully hacked the website of the Council on Foreign Relations, United States (http://www.cfr.org) and posted on the site exploiting a previously unknown vulnerability in Microsoft Internet Explorer.
First of incident was spoken about only on December 27, representative of the Council on Foreign Relations, David Michal (David Mikhail) said that the organization is aware of a security incident, and is being investigated.
On December 28th the company FireEye published a blog analysis of malicious software that have been used by hackers. According to the analysis of FireEye, attackers have used Adobe Flash for the preparation of dynamic memory on the system of the victim (heap spray) for the successful operation of a zero-day vulnerability in Microsoft Internet Explorer. The exploit has been designed for users who have a browser default in English, Chinese, Japanese, Korean or Russian.
Also, attackers have used all cookies, the exploit is triggered only one time for a particular browser.
Judging by the presence of metadata in the load on the system library it an be said that Chinese programmers are responsible for developing the exploit.
Last night, Microsoft confirmed the vulnerability in Microsoft Internet Explorer and has released security bulletin.
Vulnerability applies to Microsoft Internet Explorer 6.x, 7.x and 8.x. They are currently working on exploit to be added for Metasploit Framework.
A detailed description of the vulnerability:
Arbitrary code execution in Microsoft Internet Explorer
- Danger: Critical
- The presence of corrections: No
- Number of vulnerabilities: 1
- CVSSv2 rating: (AV: N / AC: L / Au: N / C: C / I: C / A: C / E: H / RL: U / RC: C) = Base: 10/Temporal: 10
- CVE ID: CVE-2012-4792
- Vector operation: Remote
- Impact: System compromise
- CWE ID: No data
- Be exploited Active exploitation of the vulnerability
- Affected products: Microsoft Internet Explorer 6.x
- Microsoft Internet Explorer 7.x
- Microsoft Internet Explorer 8.x
Affected versions: Microsoft Internet Explorer version 6.x, 7.x, 8.x
The vulnerability allows a remote user to execute arbitrary code on the target system.
An error after release of the processing facility “CDwnBindInfo”. This can be exploited via a specially crafted Web-page call dereference already freed object and execute arbitrary code on the target system.
Note: The vulnerability is being actively exploited at present.
Manufacturer URL: www.microsoft.com
Solution: The way to eliminate this vulnerability does not exist at present.
LetsByteCode Inc. encourages his readers to temporarily stop using the affected versions of Internet Explorer.