Massive Vulnerability CVE-2013-0027 Strikes Internet Explorer 6 to 10

by News Editor on April 1st, 2013 in Security Alerts.

By: Aditya Balapure (Infosec Institute)

The recent major vulnerability CVE-2013-0027 flooded almost all versions of Microsoft Internet Explorer and affected operating systems like Windows XP, Vista, 7, and 8, including all the major server versions too. Some thirteen privately reported vulnerabilities were recently resolved in a security bulletin by Microsoft.

The vulnerability, now marked as critical for Internet Explorer 6, 7, 8, 9 and 10, allowed remote code execution if a user tried to view a specially crafted web page using those versions of IE. As disclosed by Microsoft, an attacker could gain the same user privileges as the current user on the successful exploitation of the vulnerability, which triggers due to improper memory operations performed by IE when handling the crafted HTML content. Also, if the current user had administrator privileges, the attacker could compromise the whole system.

For successful exploitation, a malicious user may trick a normal user to go to a malicious site, using instructions, probably even phishing, to actually make the user click that particular link. The malicious site would contain HTML code that fails in maintaining the proper reference count of an object, causing the vulnerability.

Due to this incorrect reference count, an attacker would be able to force the freeing of an object currently in use. He could then reallocate the memory previously allocated for the freed object to contain an attacker controlled data. This ultimately results in remote code execution when the freed object was later accessed. The vulnerability may then allow access of deleted or previously removed memory objects, ending in a use after free error and memory corruption. For a deeper look into the inner workings of common vulnerabilities and exploits, check out and learn more about the CEH Training course offered by InfoSec Institute.

This recent hack actually complemented the previously released patches in MS12-063, which also had remote code execution vulnerabilities.

This particular vulnerability has a CVSS rating of 9.3, which is quite high. According to Microsoft Security Bulletin MS13-009, the remediation to the vulnerability is an automatic update using a security patch released by Microsoft. Computer administrators are further warned to alert users running ActiveX content to adjust security settings to High or disable ActiveX for more secure zones. It’s also recommended that they use Microsoft Baseline Security Analyzer tool to scan for security issues and misconfigurations. Users, on the other hand, are advised not to click on links unless and until they are from a verified entity.

On similar lines, we had various CVEs like CVE-2013-0018, which allowed remote attackers to execute arbitrary code through a crafted website that triggered access to a deleted object, known as the IE Set Capture Use After Free Vulnerability. CVE-2013-0019 – CVE-2013-0029 were similarly using the same use after free vulnerability in different modules like CHTML, CobjectElement, InsertElement, SlayoutRun etc.

About Infosec Institute:

InfoSec Institute was founded in 1998 by an expert team of information security instructors. Their goal was to build a business by offering the best possible training experience for students. InfoSec Institute deeply understands the needs of today's IT professionals and is best positioned to offer world class training. Their wide range of security specific classes helps a diverse group of customers get the training they need and deserve.

References: