CVE-2019-0752 Malvertising Threat Analysis
CVE-2019-0752, a remote code execution vulnerability in Internet Explorer, was evaluated by Microsoft as a High severity risk [1]. This allows an unauthenticated, remote attacker to take advantage of a memory corruption vulnerability associated with the Document Object Model (DOM) property handler for script commands in Internet Explorer. This vulnerability requires user interaction obtained through a malicious link or file download.
This impacts the following versions of Internet Explorer 11:
| Platform | Associated KB |
| Windows Server 2012 R2 | 4493446 |
| Windows Server 2012 R2 | 4493435 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4493472 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4493435 |
| Windows RT 8.1 | 4493446 |
| Windows 8.1 for x64-based systems | 4493446 |
| Windows 8.1 for x64-based systems | 4493435 |
| Windows 8.1 for 32-bit systems | 4493446 |
| Windows 8.1 for 32-bit systems | 4493435 |
| Windows 7 for x64-based Systems Service Pack 1 | 4493472 |
| Windows 7 for x64-based Systems Service Pack 1 | 4493435 |
| Windows 7 for 32-bit Systems Service Pack 1 | 4493472 |
| Windows 7 for 32-bit Systems Service Pack 1 | 4493435 |
| Windows Server 2016 | 4493470 |
| Windows 10 Version 1607 for x64-based Systems | 4493470 |
| Windows 10 Version 1607 for 32-bit Systems | 4493470 |
| Windows 10 for x64-based Systems | 4493475 |
| Windows 10 for 32-bit Systems | 4493475 |
| Windows 10 Version 1709 for ARM64-based Systems | 4493441 |
| Windows 10 Version 1709 for x64-based Systems | 4493441 |
| Windows 10 Version 1709 for 32-bit Systems | 4493441 |
| Windows Server 2019 | 4493509 |
| Windows 10 Version 1809 for ARM64-based Systems | 4493509 |
| Windows 10 Version 1809 for x64-based Systems | 4493509 |
| Windows 10 Version 1809 for 32-bit Systems | 4493509 |
| Windows 10 Version 1803 for ARM64-based Systems | 4493464 |
| Windows 10 Version 1803 for x64-based Systems | 4493464 |
| Windows 10 Version 1803 for 32-bit Systems | 4493464 |
| Windows 10 Version 1703 for x64-based Systems | 4493474 |
| Windows 10 Version 1703 for 32-bit Systems | 4493474 |
Table 1: Impacted Software – Source: msrc.Microsoft.com
In addition, Internet Explorer 10 on Windows Server 2012 KBs 4493451 and 4493435 are also impacted.
The specific mechanism of exploitation is the IDispatch method which has an execution improvement mechanism that allows direct manipulation of a memory location via pointers. This bypasses specific software processes to deliver a table lookup faster than usual. Because of the ways that parameters are handled in this bypass method, it becomes possible to supply an unanticipated value which results in being able to overwrite an arbitrarily chosen location in memory. This allows accessing any memory location lower than 0x001767dd to inject malicious code. The injection mechanism will exit cleanly after the malicious code has been inserted, increasing the likelihood of a stealthy attack [2].
Proof of concept code is available online on multiple GitHub locations or similar exploit repositories [3][4]. This remote code execution vulnerability can result in undesired software installation, information disclosure, deletion of data, or gaining a primary foothold on a compromised asset at the same privilege level as the user who executes the malicious payload. A malicious actor could then use this as a pivot point to gain greater network access.
This payload can take the form of a malicious HTML file or an ActiveX control in Microsoft Office when the IE rendering engine is enabled. This malicious HTML could be hosted by poisoning ad hosting supply chains to present malicious advertisements to users to install malicious code [5]. This indicates that the malicious scripts could be supplied to a targeted organization through watering-hole-style attacks. Internet message boards allow for user-supplied content of interest to the targeted organization.
Recorded Future reported that this was a top exploit in 2019 based on an analysis of forum postings, dark web websites, and malware repository submissions. Specific instances of malvertising on adult entertainment websites using the Fallout or RIG exploit kits were found. These exploit kits utilized CVE-2019-0752 as a code delivery mechanism via advertisements. The licensing of these exploit kits can be purchased for as little as $75 per week. Successful PII, account credentials, and financial data exfiltration have been observed [6].
This vulnerability is mitigated via patching to the latest version of Internet Explorer. Alternatively, disabling Internet Explorer in favor of modern web browsers is preferred where the business environment permits. CISA has mandated that all Federal Civilian Executive Branch Agencies patch against this no later than 8/15/2022 [7]. This was based on known exploitation in the wild based on credible evidence obtained by CISA Binding Operational Directive 22-01.
Because Internet Explorer 11 is set to be retired on June 15th, 2022, this patch requirement should be considered low priority unless specific use cases are identified where Internet Explorer is still available. After retirement, Microsoft Edge will be loaded unless specific steps are taken to disable Windows Updates that force retirement (which is not recommended). Since exploitation after June 15th will require a user to take special precautions to use Internet Explorer and visit a website with the embedded malicious code, the chance of exploitation in the future is low. As a result, this patch should not be prioritized if organizational patch management resources compete with other security vulnerabilities for mitigation.
Additional mitigation can be performed through firewall blocks, web content filtering, and endpoint security appliances. As this requires either a malicious application to be delivered to a user or the user to visit a website hosting malicious web content, filtering mechanisms and training can provide effective mitigation against exposure. Overall, the risk to any given organization is low due to the obsolete nature of Internet Explorer and the variety of available mitigation strategies.
[1] “Scripting Engine Memory Corruption Vulnerability,” Security Update Guide - Microsoft Security Response Center. [Online]. Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0752. [Accessed: 01-Jun-2022].
[2] S. Zuckerbraun, “RCE without native code: Exploitation of a write-what-where in Internet Explorer,” Zero Day Initiative, 21-May-2019. [Online]. Available: https://www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer. [Accessed: 01-Jun-2022].
[3] CreatePhotonW, “CVE-2019-0752 Proof of Concept Code,” GitHub. [Online]. Available: https://raw.githubusercontent.com/ZwCreatePhoton/CVE-2019-0752/main/exploit.html. [Accessed: 01-Jun-2022].
[4] S. Zuckerbraun, “Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption,” Exploit Database, 24-May-2019. [Online]. Available: https://www.exploit-db.com/exploits/46928. [Accessed: 01-Jun-2022].
[5] “Microsoft CVE-2019-0752: Scripting Engine Memory Corruption Vulnerability,” Rapid7. [Online]. Available: https://www.rapid7.com/db/vulnerabilities/msft-cve-2019-0752/. [Accessed: 01-Jun-2022].
[6] Dan Goodin, “Porn Surfers Have a Dirty Secret. They're Using Internet Explorer,” Ars Technica, 12-Sep-2020. [Online]. Available: https://arstechnica.com/information-technology/2020/09/ads-that-install-malware-see-a-resurgence-on-porn-sites/. [Accessed: 01-Jun-2022].
[7] S. Gatlan, “Cisa Tells Federal Agencies to Patch Actively Exploited Chrome, Magento Bugs,” BleepingComputer, 16-Feb-2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/cisa-tells-federal-agencies-to-patch-actively-exploited-chrome-magento-bugs/. [Accessed: 01-Jun-2022].
Member discussion