Critical zero-day bug in Internet Explorer under active attack

[Chiefcrowe]

http://arstechnica.com/security/2012/09/critical-zero-day-bug-in-microsoft-internet-explorer

 

[mechBgon]

Update: Microsoft has a Fix-It at http://support.microsoft.com/kb/2757760 and is going to send out a patch via Automagic Updates on Friday.


Microsoft has a security advisory yonder: http://blogs.technet.com/b/msrc/archive/2012/09/17/microsoft-releases-security-advisory-2757760.aspx

As both Ars and Microsoft mention, it would be a good idea to install EMET regardless of what browser(s) you use. EMET 3.0 is available here: http://www.microsoft.com/en-us/download/details.aspx?id=29851

If you want to play with the beta EMET 3.5 version, it's here: http://www.microsoft.com/en-us/download/details.aspx?id=30424

In either case, make sure to configure EMET, so it actually does stuff. EMET can currently toggle three system-wide settings: DEP, SEHOP and ASLR. I suggest these options:

EMET can also apply tweaks to programs on an individual basis. Click "Configure Apps" at the bottom, and you can add apps yourself, and/or import a preconfigured list using File > Import, such as the ALL list. which has a bunch of popular software already included:

C:\Program Files (x86)\EMET\Deployment\Protection Profiles\All.xml

Microsoft's list doesn't switch on all the mitigations. I've found very few issues with switching on all the mitigations, so that's what I'd suggest:

 

[Chiefcrowe]

Thanks mech, I am going to try the EMET tool today!

EDIT - so far so good with EMET.

 

[babcom]

mech,
have found a few problems with EMET 3.5 in Windows 7 x64. With the new ROP features turned on for something like IE, Firefox or Windows Live Mail, I found that after closing these apps, they would still be running in Task Manager. Moreover, the CPU usage would immediately shoot up from 1 or 2 % to 50% on a dual core and 17% on a six-core machine ie a full core usage. I reported this to switech@microsoft.com some weeks ago and they got me to do a debug report using Debugging Tools for windows but I heard nothing from microsoft since then.
No problems with EMET 3.0, but it doesn't have ROP.

 

[mechBgon]

In the case of IE, it has a parent instance at Medium integrity, and (assuming Protected Mode's not disabled) a child instance at Low integrity. If you close IE, the Low-integrity instance will close, followed by the Medium-integrity parent process after about 10 seconds. I'll try to investigate Windows Mail and FireFox, and post back if they're doing that here.

In my case, there's no major CPU load going on. I have EMET 3.5 on about a dozen boxes now, with ROP tweaks on just about everything, on systems ranging from an Athlon II x2 to Sandy Bridge i5s. Here's what EMET's applying to at system startup, and I think it does take it a couple extra seconds at startup to roll out this many instances:

EMET Notifier started, logging events.

EMET is configured for the following programs:
64bitmapibroker.exe
7z.exe
7zfm.exe
7zg.exe
acrobat.exe
acrobatupdater.exe
acrobroker.exe
acrord32.exe
acrord32info.exe
acrotextextractor.exe
adaptertroubleshooter.exe
adobearm.exe
adobearmhelper.exe
adobecollabsync.exe
aertsr64.exe
aitagent.exe
alg.exe
apcrun.exe
apcsystray.exe
apcupdates.exe
appidcertstorecheck.exe
appidpolicyconverter.exe
armsvc.exe
arp.exe
at.exe
atbroker.exe
attrib.exe
audiodg.exe
auditpol.exe
autochk.exe
autoconv.exe
autofmt.exe
axinstui.exe
baaupdate.exe
bcdboot.exe
bcdedit.exe
bdehdcfg.exe
bdeuisrv.exe
bdeunlockwizard.exe
bfsvc.exe
bitlockerwizard.exe
bitlockerwizardelev.exe
bitsadmin.exe
bootcfg.exe
bridgeunattend.exe
brs.exe
bthudtask.exe
cacls.exe
calc.exe
certenrollctrl.exe
certreq.exe
certutil.exe
change.exe
charmap.exe
chglogon.exe
chgport.exe
chgusr.exe
chkdsk.exe
chkntfs.exe
choice.exe
chrome.exe
cipher.exe
cldrvchk.exe
cleanmgr.exe
cliconfg.exe
clip.exe
clview.exe
cmd.exe
cmdkey.exe
cmdl32.exe
cmmon32.exe
cmstp.exe
cofire.exe
colorcpl.exe
communicator.exe
comp.exe
compact.exe
compmgmtlauncher.exe
computerdefaults.exe
conhost.exe
consent.exe
control.exe
convert.exe
credwiz.exe
cscript.exe
csrss.exe
ctfmon.exe
ctlcntrv.exe
cttune.exe
cttunesvr.exe
dac.exe
datacollectionlauncher.exe
dataserv.exe
dccw.exe
dcomcnfg.exe
ddodiag.exe
defrag.exe
devicedisplayobjectprovider.exe
deviceeject.exe
devicepairingwizard.exe
deviceproperties.exe
dfdwiz.exe
dfrgui.exe
dialer.exe
diantz.exe
difx64.exe
dinotify.exe
diskpart.exe
diskperf.exe
diskraid.exe
dism.exe
dispdiag.exe
display.exe
displayswitch.exe
djoin.exe
dllhost.exe
dllhst3g.exe
dnscacheugc.exe
doskey.exe
dpapimig.exe
dpiscaling.exe
dpnsvr.exe
driverquery.exe
drvinst.exe
dvdmaker.exe
dvdplay.exe
dvdupgrd.exe
dwm.exe
dwwin.exe
dxdiag.exe
dxpserver.exe
eap3host.exe
effectextractor.exe
efsui.exe
ehib.exe
ehstorauthn.exe
ekag20.exe
ekag20nt.exe
emet_conf.exe
emet_gui.exe
emet_notifier.exe
esentutl.exe
eudcedit.exe
eula.exe
eventcreate.exe
eventvwr.exe
excel.exe
excelcnv.exe
executeprocess.exe
expand.exe
explorer.exe
extexport.exe
extrac32.exe
fc.exe
find.exe
findstr.exe
finger.exe
firefox.exe
fixmapi.exe
flashplayerupdateservice.exe
flashutil32_11_3_300_257_activex.exe
flashutil64_11_3_300_257_activex.exe
fltmc.exe
fmapp.exe
fontview.exe
forfiles.exe
fsutil.exe
ftp.exe
fvenotify.exe
fveprompt.exe
fveupdate.exe
fxscover.exe
fxssvc.exe
fxsunatd.exe
gameoverlayui.exe
getmac.exe
gettingstarted.exe
gfxui.exe
googletalk.exe
gpresult.exe
gpscript.exe
gpupdate.exe
graph.exe
grpconv.exe
hdwwiz.exe
help.exe
helppane.exe
hh.exe
hkcmd.exe
hostname.exe
hwrcomp.exe
hwrreg.exe
iastordatamgrsvc.exe
iastoricon.exe
icacls.exe
icardagt.exe
icsunattend.exe
ie4uinit.exe
iecleanup.exe
iediagcmd.exe
ieinstal.exe
ielowutil.exe
ieunatt.exe
iexplore.exe
iexpress.exe
igfxext.exe
igfxpers.exe
igfxsrvc.exe
igfxtray.exe
imagingdevices.exe
imgburn.exe
imgburnpreview.exe
infdefaultinstall.exe
infopath.exe
ipconfig.exe
irftp.exe
iscsicli.exe
iscsicpl.exe
isoburn.exe
itunes.exe
java.exe
javaw.exe
javaws.exe
journal.exe
klist.exe
ksetup.exe
ktmutil.exe
label.exe
launcher.exe
locationnotifications.exe
locator.exe
lodctr.exe
logagent.exe
logman.exe
logoff.exe
logonui.exe
logtransport2.exe
lpksetup.exe
lpremove.exe
lsass.exe
lsm.exe
lucidservices.exe
magnify.exe
mainserv.exe
makecab.exe
manage-bde.exe
mblctr.exe
mcbuilder.exe
mctadmin.exe
mdres.exe
mdsched.exe
mfpmp.exe
migautoplay.exe
mirc.exe
misc.exe
mmc.exe
mobsync.exe
moe.exe
mofcomp.exe
mountvol.exe
mpcmdrun.exe
mpnotify.exe
mpsigstub.exe
mrinfo.exe
mrt.exe
msaccess.exe
msascui.exe
msconfig.exe
msdt.exe
msdtc.exe
msfeedssync.exe
msg.exe
mshta.exe
msiexec.exe
msinfo32.exe
msmpeng.exe
msnmsgr.exe
msohtmed.exe
msosync.exe
msouc.exe
mspaint.exe
mspub.exe
msqry32.exe
msra.exe
msseces.exe
msseoobe.exe
mstordb.exe
mstore.exe
mstsc.exe
msworks.exe
mtstocom.exe
muiunattend.exe
multidigimon.exe
namecontrolserver.exe
napstat.exe
narrator.exe
nbtstat.exe
ndadmin.exe
net.exe
net1.exe
netbtugc.exe
netcfg.exe
netiougc.exe
netplwiz.exe
netproj.exe
netsh.exe
netstat.exe
newdev.exe
nissrv.exe
nltest.exe
notepad.exe
nslookup.exe
ntoskrnl.exe
ntprint.exe
ntutil64.exe
nusb3mon.exe
nusb3utl.exe
nvcplui.exe
nvsmartmaxapp.exe
nvsmartmaxapp64.exe
nvtray.exe
nvvsvc.exe
nvxdsync.exe
ocsetup.exe
odbcad32.exe
odbcconf.exe
openfiles.exe
opera.exe
optionalfeatures.exe
osk.exe
ospprearm.exe
osppsvc.exe
outlook.exe
p2phost.exe
pathping.exe
pcalua.exe
pcaui.exe
pcawrk.exe
pcwrun.exe
pdialog.exe
pdvd10serv.exe
pdvdlaunchpolicy.exe
perfmon.exe
photoshop.exe
pictureviewer.exe
pidgin.exe
ping.exe
pkgmgr.exe
plasrv.exe
plugin-container.exe
pnpunattend.exe
pnputil.exe
poqexec.exe
potdata.exe
powercfg.exe
powerchute.exe
powerdvd10.exe
powerpnt.exe
pptico.exe
pptview.exe
presentationhost.exe
presentationsettings.exe
prevhost.exe
print.exe
printbrmui.exe
printfilterpipelinesvc.exe
printisolationhost.exe
printui.exe
proquota.exe
psqltray.exe
psr.exe
pushprinterconnections.exe
qappsrv.exe
qprocess.exe
qttask.exe
query.exe
quicktimeplayer.exe
quser.exe
qwinsta.exe
rar.exe
rasautou.exe
rasdial.exe
raserver.exe
rasphone.exe
ravbg64.exe
ravcpl64.exe
rdpclip.exe
rdpinit.exe
rdpshell.exe
rdpsign.exe
rdrleakdiag.exe
rdrmemptylst.exe
rdvghelper.exe
readerupdater.exe
reader_sl.exe
reagentc.exe
realconverter.exe
realplay.exe
recdisc.exe
recover.exe
reg.exe
regedit.exe
regedt32.exe
regini.exe
registeriepkeys.exe
regsvr32.exe
rekeywiz.exe
relog.exe
relpost.exe
repair-bde.exe
replace.exe
reset.exe
resmon.exe
richvideo64.exe
richvideoinstall.exe
richvideouninstall.exe
rmactivate.exe
rmactivate_isv.exe
rmactivate_ssp.exe
rmactivate_ssp_isv.exe
rmclient.exe
robocopy.exe
route.exe
rpcping.exe
rrinstaller.exe
rstrui.exe
rtkngui64.exe
rtlupd64.exe
runas.exe
rundll32.exe
runlegacycplelevated.exe
runonce.exe
rwinsta.exe
safari.exe
sbunattend.exe
sc.exe
schtasks.exe
scrcons.exe
sdbinst.exe
sdchange.exe
sdclt.exe
sdiagnhost.exe
searchfilterhost.exe
searchindexer.exe
searchprotocolhost.exe
secedit.exe
secinit.exe
selfcert.exe
services.exe
sethc.exe
setieinstalleddate.exe
setlang.exe
setspn.exe
setup.exe
setupcl.exe
setupugc.exe
setup_wm.exe
setx.exe
sfc.exe
shadow.exe
shrpubw.exe
shutdown.exe
sidebar.exe
sigverif.exe
skype.exe
skytel.exe
sllauncher.exe
slui.exe
smss.exe
sndvol.exe
snippingtool.exe
snmptrap.exe
softwareupdate.exe
sort.exe
soundrecorder.exe
spinstall.exe
splwow64.exe
spoolsv.exe
sppsvc.exe
spreview.exe
sqlservr.exe
sqlwriter.exe
srdelayed.exe
steam.exe
steamerrorreporter.exe
steamservice.exe
stikynot.exe
subst.exe
svchost.exe
sxstrace.exe
synchost.exe
syskey.exe
systeminfo.exe
systempropertiesadvanced.exe
systempropertiescomputername.exe
systempropertiesdataexecutionprevention.exe
systempropertieshardware.exe
systempropertiesperformance.exe
systempropertiesprotection.exe
systempropertiesremote.exe
systray.exe
tabcal.exe
takeown.exe
tapiunattend.exe
taskeng.exe
taskhost.exe
taskkill.exe
tasklist.exe
taskmgr.exe
tcmsetup.exe
tcpsvcs.exe
thunderbird.exe
thxcfg64.exe
timeout.exe
tpminit.exe
tracerpt.exe
tracert.exe
trustedinstaller.exe
tscon.exe
tsdiscon.exe
tskill.exe
tstheme.exe
tsusbredirectiongrouppolicycontrol.exe
tswbprxy.exe
tswpfwrp.exe
twunk_16.exe
twunk_32.exe
typeperf.exe
tzutil.exe
ucsvc.exe
ui0detect.exe
unins000.exe
uninstall.exe
uninstall_gui.exe
unlodctr.exe
unrar.exe
unregmp2.exe
unsecapp.exe
updreg.exe
upeksvr.exe
upnpcont.exe
useraccountcontrolsettings.exe
userinit.exe
utilman.exe
validateups.exe
vaultcmd.exe
vaultsysui.exe
vds.exe
vdsldr.exe
verclsid.exe
verifier.exe
virtucontrolpanel.exe
visio.exe
vlc-cache-gen.exe
vlc.exe
vmicsvc.exe
vpreview.exe
vssadmin.exe
vssvc.exe
w32tm.exe
wab.exe
wabmig.exe
waitfor.exe
wbadmin.exe
wbemtest.exe
wbengine.exe
wecutil.exe
werfault.exe
werfaultsecure.exe
wermgr.exe
wevtutil.exe
wextract.exe
wfs.exe
where.exe
whoami.exe
wiaacmgr.exe
wiawow64.exe
wimserv.exe
winamp.exe
windowsanytimeupgraderesults.exe
windowslivesync.exe
windowslivewriter.exe
winhlp32.exe
wininit.exe
winload.exe
winlogon.exe
winmgmt.exe
winrar.exe
winresume.exe
winrs.exe
winrshost.exe
winsat.exe
winver.exe
winword.exe
winzip32.exe
winzip64.exe
wisptis.exe
wkscal.exe
wkscalrem.exe
wksprt.exe
wlanext.exe
wlrmdr.exe
wlsync.exe
wmiadap.exe
wmiapsrv.exe
wmic.exe
wmiprvse.exe
wmlaunch.exe
wmpconfig.exe
wmpdmc.exe
wmpenc.exe
wmplayer.exe
wmpnetwk.exe
wmpnscfg.exe
wmprph.exe
wmpshare.exe
wmpsideshowgadget.exe
wordconv.exe
wordicon.exe
wowreg32.exe
wow_helper.exe
wpdshextautoplay.exe
wpnpinst.exe
write.exe
writeminidump.exe
wscript.exe
wsmanhttpconfig.exe
wsmprovhost.exe
wsqmcons.exe
wuapp.exe
wuauclt.exe
wudfhost.exe
wusa.exe
xcopy.exe
xlicons.exe
xpsrchvw.exe
xwizard.exe

In other news, Microsoft has a Fix-It for 32-bit IE (apparently 64-bit is not being targeted): http://support.microsoft.com/kb/2757760

 

[Chiefcrowe]

Thanks again for posting about the fixit!

 

[babcom]

I found the major CPU load problem. Comodo Internet Security and EMET 3.5 TP are not compatible when any of the ROP features are turned on. So far, the only way I've found to use ROP on EMET 3.5, is to completely uninstall CIS.

 

[dennilfloss]

I use IE only for sites that don't like Opera but Windows notified me of a critical update last night to fix this IE problem. Updated without a hitch as far as I can see.