VULNERABILITY

Resecurity discovered 0-day RCE vulnerability in Internet Explorer

Posted on Nov 12 / 19

What is the Vulnerability?

Resecurity discovered a critical zero-day vulnerability in the Jscript Garbage Collection mechanism within Internet Explorer, which allows an attacker to execute arbitrary code.

From Microsoft Security Response Center (MSRC):

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

What does it allow a hacker to do?

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.

Why is this important?

Remote Code Execution (RCE) vulnerabilities are actively used by threat actors to distribute malware. From the date of reporting – the vulnerability had 0-day status. Cyberespionage groups and state actors are using the vulnerabilities for targeted attacks and APT campaigns.

What is the resolution?

Resecurity reported this vulnerability previously to Microsoft on October 20th 2019. Resecurity® HUNTER, a security R&D unit, has provided detailed description of the vulnerability, along with Proof-of-Concept POC. As of November 12th, we are pleased to report that Microsoft has released a patch, as (after CVE-2019-1429)for all versions.

The developed Proof-of-Concept supports Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, including the latest version of Internet Explorer 11.

Affected platforms – Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Notes:

In July Resecurity has reported another 0-day vulnerability to Microsoft leading to Local Privileges Escalation (LPE) (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0880). A local elevation of privilege vulnerability existed in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.

This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.

“We assume both identified 0-day vulnerabilities are related to the tradecraft of the same cyberespionage group focused on APT campaigns against defense, federal and financial sector. The geography of their end targets (victims) is extremely broad and include Middle East, APAC, USA and European Union. Previously, the group was leveraging possible “false flag” attack – that’s why attribution at this moment is fuzzy. We continue to monitor the activity of the group and update our customers and intelligence community about the new previously unknown threats and zero-day vulnerabilities” – says Gene Yoo, Chief Executive Officer of Resecurity.

Gene Yoo added:

“We see a huge demand on these kinds of vulnerabilities on both – “blackmarket” and cyberwarfare market with solid players in face of governments and advanced cyberespionage groups. Privilege escalation vulnerabilities are required to persist on the victim’s machine and typically integrated into the malicious payload. Remote Code Execution is needed to deliver malicious payload on the victim’s machine. Combination of such 0-day vulnerabilities allow to bypass existing security controls and evade detection”.