Internet Explorer CMshtmlEd execCommand Use After Free

Added: 09/19/2012
CVE: CVE-2012-4969
BID: 55562
OSVDB: 85532

Background

Internet Explorer is an HTML web browser which comes by default on Microsoft operating systems.

Problem

Internet Explorer does not properly clean up references to objects passed to the execCommand Javascript method. If execCommand is called by an object's event handler and the execCommand parameter modifies the DOM such that the parent object is modified, the parent is freed and reallocated, but references to the parent are not redirected. This can cause a use-after-free condition, which may be exploitable when combined with a heap spray.

Resolution

Apply the patch detailed in Microsoft Security Bulletin MS12-063.
Alternatively, installing the Microsoft Exploit Mitigation Experience Toolkit prevents this vulnerability from being exploited, and also improves overall security of your Windows system. To install and configure Microsoft Exploit Mitigation Experience Toolkit, following the instructions in Microsoft Security Advisory 2757760.

References

http://technet.microsoft.com/en-us/security/bulletin/ms12-063
http://technet.microsoft.com/en-us/security/advisory/2757760
http://www.microsoft.com/en-us/download/details.aspx?id=29851
http://nakedsecurity.sophos.com/2012/09/18/microsoft-advisory-internet-explorer-zero-day-affects-most-windows-versions/
http://threatpost.com/en_us/blogs/latest-ie-zero-day-flaw-tied-nitro-hackers-and-recent-java-zero-day-exploits-091712

Limitations

This exploit has been tested against Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

Platforms

Windows

Back to exploit index