VU#154201: Microsoft Internet Explorer CDwnBindInfo use-after-free vulnerability
Vulnerability Note VU#154201
Microsoft Internet Explorer CDwnBindInfo use-after-free vulnerability
Original Release date: 29 Dec 2012 | Last revised: 29 Dec 2012
Microsoft Internet Explorer contains a use-after-free vulnerability in the CDwnBindInfo object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
This vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.
Disable the Flash ActiveX control in Internet Explorer
While it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break current exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX CompatibilityD27CDB6E-AE6D-11cf-96B8-444553540000]
Disable Java in Internet Explorer
While it does not address the underlying vulnerability in Internet Explorer, disabling Java may break current exploits. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Vendor Information (Learn More)
No information available. If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
This vulnerability was described by Eric Romang and FireEye.
This document was written by Will Dormann.
28 Dec 2012
Date First Published:
29 Dec 2012
Date Last Updated:
29 Dec 2012
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The original article/video can be found at VU#154201: Microsoft Internet Explorer CDwnBindInfo use-after-free vulnerability