Zero day vulnerability in mshtml.dll used by Internet Explorer 6, 7, 8 and 9, and many other products.
Posted by jpluimers on 2012/09/20
Summary:
- Zero day vulnerability in mshtml.dll used by Internet Explorer 6, 7, 8 and 9, and many other products.
- Resolution: Deploy EMET or stop using IE and other products using mshtml.dll until Microsoft delivers a patch.
Earlier this week a zero-day vulnerability in the mshtml.dll was made public. This DLL is used by almost all Internet Explorer versions (6-9 are vulnerable) and many other software products (almost anything from Microsoft and a lot of 3rd party software that displays a web page on Windows).
While Microsoft is building a fix that is to be released very soon now (probably tomorrow, Friday September 21st 2010), the official resolutions are not to use the mshtml.dll at all (impractical for many people), or deploy EMET (impractical too as it requires administrative privileges).
If you can, switch to a browser that uses a different layout engine than mshtml.dll (for instance browsers based on WebKit will do).
These pages are good starting points for more information:
- CVE – CVE-2012-4969 (under review).
- Microsoft Offers Guidance for Internet Explorer Zero-Day | SecurityWeek.Com.
Particularly interesting posts:
- Zero-Day Season Is Really Not Over Yet.
- Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo.
- Microsoft Offers Guidance for Internet Explorer Zero-Day | SecurityWeek.Com.
- Microsoft to release emergency Internet Explorer patch tomorrow – SC Magazine UK.
–jeroen
The Wiert Corner - irregular stream of stuff 
Petr Vones said
Security update is scheduled for today http://blogs.technet.com/b/msrc/archive/2012/09/19/internet-explorer-fix-it-available-now-security-update-scheduled-for-friday.aspx
jpluimers said
@All: if you haven’t updated yet, do it NOW!
@Petr: Thanks. I was on the road, so I couldn’t post this yesterday.
Petr Vones said
There is “Fix It” workaround available http://support.microsoft.com/kb/2757760
IL said
Why EMET is considered impractical? It’s easy to deploy and configure.
jpluimers said
Impractical because lot’s of people don’t have administrative access to their computers.
Petr Vones said
Well, it is up to administrators of their computers to care about that.
IL said
Thanks for the link to a very good article on configuring EMET http://www.rationallyparanoid.com/articles/microsoft-emet-3.html
I hope it can prevent some 0-day Java/PDF/Flash exploits too. Pesonally I’m using EMET at my home and work computers for some time, but have seen it triggered only once.
IL said
Not once but twice:
on 2012/08/21 EMET detected MandatoryASLR mitigation and will close the application: C:\Program Files\totalcmd\TOTALCMD.EXE
on 2012/07/30 EMET detected SEHOP mitigation and will close the application: C:\MinGW\msys\1.0\home\admin\farmanager\unicode_far\Release.32.gcc\Far.exe
Far was compiled from sources. Not sure what version of Total Commander triggered MandatoryASLR.