Microsoft fails to patch Internet Explorer zero-day exploit
Posted by: Jon Ben-Mayor on 05/22/2014 09:36 AM [ Comments ]
The vulnerability was discovered in October by Belgian researcher Peter Van Eeckhoutte, this particular flaw was published in a recent advisory by HP’s Zero Day Initiative, which offers rewards for ethically uncovering vulnerabilities, not unlike the Google and Facebook Bug Bounty programs.
According to the Zero Day Initiative report, this vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of CMarkup objects. The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.
ZDI details the sequence of how this vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180-day deadline, which is in place to allow a vendor to patch the issue.
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed
Microsoft recommends that people using IE 8 should take the following steps:
- Set Internet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Install EMET, The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.
No indication, that I could readily find, was given regarding any upcoming patch to mend this flaw.
The specific flaw exists within the handling of CMarkup objects. The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.
ZDI details the sequence of how this vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180-day deadline, which is in place to allow a vendor to patch the issue.
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed
Microsoft recommends that people using IE 8 should take the following steps:
- Set Internet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Install EMET, The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.
No indication, that I could readily find, was given regarding any upcoming patch to mend this flaw.
Comments