Jump to content

Another Internet Explorer ZERO DAY Surfaces


Reefa

Recommended Posts

Microsoft-logo-680x400.jpg

Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages.

The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP’s Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn’t produced a patch.

The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI’s advisory says that an attacker can take advantage of it to run arbitrary code.

“The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” the ZDI advisory says.

Microsoft officials have not issued an advisory about the vulnerability yet, but ZDI’s advisory says that installing the EMET toolkit, which includes exploit mitigations, is a viable method for mitigating the seriousness of the flaw. The bug was discovered by Peter Van Eeckhoutte of Corelan, a security research team.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements,” the ZDI advisory says.

“These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”

This is the second zero day disclosed in IE in the last couple of months. In April, researchers observed attackers using the CVE-2014-1776 IE zero day in targeted attacks. Microsoft later issued an emergency out-of-band patch for that vulnerability.

Source

Link to comment
Share on other sites


  • Replies 2
  • Views 1.4k
  • Created
  • Last Reply

Top Posters In This Topic

  • Ballistic Gelatin

    1

  • anuseems

    1

  • Reefa

    1

Top Posters In This Topic

An older version of Microsoft's Internet Explorer browser has an unpatched software flaw that could allow rogue code to run on a computer, the second such flaw found in a month

From Network World:

Microsoft was told of the flaw in October, which was discovered by Belgian researcher Peter Van Eeckhoutte, according to an advisory published Wednesday by HP's Zero Day Initiative (ZDI), a program that rewards security researchers for finding software flaws.

ZDI holds off publicly publishing information on a security flaw for up to six months so a software vendor can patch it. As that period came close to expiring, ZDI said it told Microsoft on May 8 that it intended to publish details of the flaw.

http://www.networkworld.com/news/2014/052214-new-internet-explorer-zero-day-details-281820.html

Edited by anuseems
Link to comment
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...