ID CVE-2012-4969
Summary Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
References
Vulnerable Configurations
  • Microsoft Internet Explorer 6
    cpe:2.3:a:microsoft:internet_explorer:6
  • cpe:2.3:o:microsoft:windows_server:2003:sp2
    cpe:2.3:o:microsoft:windows_server:2003:sp2
  • cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:itanium
    cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:itanium
  • cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_xp:-:sp2:-:-:professional:-:-:x64
    cpe:2.3:o:microsoft:windows_xp:-:sp2:-:-:professional:-:-:x64
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
  • Microsoft Internet Explorer 7
    cpe:2.3:a:microsoft:internet_explorer:7
  • cpe:2.3:o:microsoft:windows_server:2003:sp2
    cpe:2.3:o:microsoft:windows_server:2003:sp2
  • cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:itanium
    cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:itanium
  • cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_server:2008:sp2
    cpe:2.3:o:microsoft:windows_server:2008:sp2
  • cpe:2.3:o:microsoft:windows_server:2008:sp2:-:-:-:-:itanium
    cpe:2.3:o:microsoft:windows_server:2008:sp2:-:-:-:-:itanium
  • cpe:2.3:o:microsoft:windows_server:2008:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server:2008:sp2:-:-:-:-:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • cpe:2.3:o:microsoft:windows_vista:-:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_vista:-:sp2:-:-:-:-:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
  • cpe:2.3:o:microsoft:windows_xp:-:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_xp:-:sp2:-:-:-:-:x64
  • Microsoft Internet Explorer 8
    cpe:2.3:a:microsoft:internet_explorer:8
  • cpe:2.3:o:microsoft:windows_7:-::-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_7:-::-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:x64
    cpe:2.3:o:microsoft:windows_7:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_server:2003:sp2
    cpe:2.3:o:microsoft:windows_server:2003:sp2
  • cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server:2003:sp2:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_server:2008:sp2
    cpe:2.3:o:microsoft:windows_server:2008:sp2
  • cpe:2.3:o:microsoft:windows_server:2008:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server:2008:sp2:-:-:-:-:x64
  • Microsoft Windows Server 2008 R2 on Itanium
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:-:-:-:-:itanium
  • Microsoft Windows Server 2008 R2 on x64
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:itanium
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:itanium
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • cpe:2.3:o:microsoft:windows_vista:-:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_vista:-:sp2:-:-:-:-:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
  • cpe:2.3:o:microsoft:windows_xp:-:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_xp:-:sp2:-:-:-:-:x64
  • Microsoft Internet Explorer 9
    cpe:2.3:a:microsoft:internet_explorer:9
  • Microsoft Windows 7
    cpe:2.3:o:microsoft:windows_7
  • cpe:2.3:o:microsoft:windows_7:-::-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_7:-::-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x86
    cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x86
  • Microsoft Windows 7 64-bit
    cpe:2.3:o:microsoft:windows_7:-:-:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x86
    cpe:2.3:o:microsoft:windows_7:-:sp1:-:-:-:-:x86
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:-:-:-:-:x64
  • Microsoft Windows Server 2008 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2
  • Microsoft Windows Server 2008 R2 on x64
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_vista:-:sp2:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_vista:-:sp2:-:-:-:-:x64
  • cpe:2.3:o:microsoft:windows_vista:sp2
    cpe:2.3:o:microsoft:windows_vista:sp2
CVSS
Base: 9.3 (as of 18-09-2012 - 13:21)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability. CVE-2012-4969. Remote exploit for windows platform
id EDB-ID:21840
last seen 2016-02-02
modified 2012-10-10
published 2012-10-10
reporter metasploit
source https://www.exploit-db.com/download/21840/
title Microsoft Internet Explorer - execCommand Use-After-Free Vulnerability MS12-063
metasploit via4
description This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case).
id MSF:EXPLOIT/WINDOWS/BROWSER/IE_EXECCOMMAND_UAF
last seen 2019-03-26
modified 2017-10-05
published 2012-09-17
reliability Good
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_execcommand_uaf.rb
title CVE-2012-4969 MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
msbulletin via4
bulletin_id MS12-063
bulletin_url
date 2012-09-21T00:00:00
impact Remote Code Execution
knowledgebase_id 2744842
knowledgebase_url
severity Critical
title Cumulative Security Update for Internet Explorer
nessus via4
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS12-063.NASL
    description The remote host is missing Internet Explorer (IE) Security Update 2744842. The installed version of IE is affected by vulnerabilities that could allow an attacker to execute arbitrary code on the remote host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 62223
    published 2012-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62223
    title MS12-063: Cumulative Security Update for Internet Explorer (2744842)
  • NASL family Windows
    NASL id SMB_KB2757760.NASL
    description The remote host is missing the workaround referenced in KB 2757760 (Microsoft 'Fix it' 50939). This workaround mitigates a use-after-free vulnerability in Internet Explorer. Without this workaround enabled, an attacker could exploit this vulnerability by tricking a user into view a maliciously crafted web page, resulting in arbitrary code execution. This vulnerability is being actively exploited in the wild. This plugin has been deprecated due to the publication of MS12-063. Microsoft has released patches that make the workarounds unnecessary. To check for the patches, use Nessus plugin ID 62223.
    last seen 2017-10-29
    modified 2017-08-30
    plugin id 62201
    published 2012-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62201
    title MS KB2757760: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)
oval via4
accepted 2014-08-18T04:01:23.133-04:00
class vulnerability
contributors
  • name SecPod Team
    organization SecPod Technologies
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Internet Explorer 8 is installed
    oval oval:org.mitre.oval:def:6210
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows 7 is installed
    oval oval:org.mitre.oval:def:12541
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft Internet Explorer 9 is installed
    oval oval:org.mitre.oval:def:11985
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows 7 is installed
    oval oval:org.mitre.oval:def:12541
description Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
family windows
id oval:org.mitre.oval:def:15729
status accepted
submitted 2012-09-22T12:54:21
title execCommand Use After Free Vulnerability - MS12-063
version 71
refmap via4
cert
  • TA12-255A
  • TA12-262A
  • TA12-265A
cert-vn VU#480095
confirm http://technet.microsoft.com/security/advisory/2757760
misc
sectrack 1027538
saint via4
bid 55562
description Internet Explorer CMshtmlEd execCommand Use After Free
id win_patch_ie_v8,win_patch_ie_v9
osvdb 85532
title ie_cmshtmled_exec_uaf
type client
the hacker news via4
Last major update 02-11-2013 - 23:27
Published 18-09-2012 - 06:39
Last modified 21-11-2017 - 13:13
Back to Top