Reefa Posted May 21, 2014 Share Posted May 21, 2014 Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages.The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP’s Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn’t produced a patch.The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI’s advisory says that an attacker can take advantage of it to run arbitrary code.“The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” the ZDI advisory says.Microsoft officials have not issued an advisory about the vulnerability yet, but ZDI’s advisory says that installing the EMET toolkit, which includes exploit mitigations, is a viable method for mitigating the seriousness of the flaw. The bug was discovered by Peter Van Eeckhoutte of Corelan, a security research team.“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements,” the ZDI advisory says.“These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”This is the second zero day disclosed in IE in the last couple of months. In April, researchers observed attackers using the CVE-2014-1776 IE zero day in targeted attacks. Microsoft later issued an emergency out-of-band patch for that vulnerability.Source Link to comment Share on other sites More sharing options...
Ballistic Gelatin Posted May 21, 2014 Share Posted May 21, 2014 Internet Explorer is a joke. Period. Link to comment Share on other sites More sharing options...
anuseems Posted May 23, 2014 Share Posted May 23, 2014 (edited) An older version of Microsoft's Internet Explorer browser has an unpatched software flaw that could allow rogue code to run on a computer, the second such flaw found in a monthFrom Network World:Microsoft was told of the flaw in October, which was discovered by Belgian researcher Peter Van Eeckhoutte, according to an advisory published Wednesday by HP's Zero Day Initiative (ZDI), a program that rewards security researchers for finding software flaws.ZDI holds off publicly publishing information on a security flaw for up to six months so a software vendor can patch it. As that period came close to expiring, ZDI said it told Microsoft on May 8 that it intended to publish details of the flaw.http://www.networkworld.com/news/2014/052214-new-internet-explorer-zero-day-details-281820.html Edited May 23, 2014 by anuseems Link to comment Share on other sites More sharing options...
Recommended Posts