Software Engineering Institute

Microsoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of the attacker.

This vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets. Other proof-of-concept exploits are publicly available that do not use heap spraying.

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code.

Apply an Update

Microsoft has released MS13-008 to address this vulnerability. Users should run Windows Update to receive the patch. If a user is unable to update, please consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Apply the Microsoft Fix It

Microsoft has provided a "Fix it" patch that causes Internet Explorer to safely crash if this vulnerability is attempted to be exploited, rather than resulting in code execution. Please see the Microsoft SRD blog entry for more details. Note that Windows must be fully-patched for the Fix it to be effective. There is also a report that the Fix it is insufficient to completely address the vulnerability.

Disable the Flash ActiveX control in Internet Explorer

While it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break some exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{D27CDB6E-AE6D-11cf-96B8-444553540000}

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400