Microsoft ignores critical Internet Explorer zero-day bug, leaving users open to attack

TechEd 2014 Microsoft logo

Microsoft has ignored a critical vulnerability in its Internet Explorer 8 (IE8) web browser leaving users open to attack, failing to produce a patch over 180 days after researchers privately disclosed the bug to the software firm.

The vulnerability was publicly disclosed by researchers at the Zero Day Initiative (ZDI), which claims it originally unearthed and disclosed the bug to Microsoft on 10 November 2013. At the time of publishing, Microsoft had not responded to V3‘s request for comment on ZDI’s report.

The ZDI researchers said the IE8 vulnerability is dangerous as it could be used by hackers to infect machines running the web browser with malware.

“The specific flaw exists within the handling of CMarkup objects. The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call,” explained the threat disclosure.

“By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The ZDI disclosure said despite the seriousness of the vulnerability any attack targeting it would require the victim to make a mistake.

“User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content,” read the post.

“Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”

ZDI recommended IE8 users deploy temporary workaround fixes while waiting for a full security patch from Microsoft. These included setting machines running IE8’s internet security zone settings to high, disabling Active Scripting in the Internet and Local intranet security zone or installing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

The vulnerability is one of many discovered in IE over the last few months. Microsoft was forced backtrack on its promise to stop releasing security updates for Windows XP when a separate zero-day vulnerability was discovered in IE earlier in May.

22 May 2014 | 11:31 am – Source: v3.co.uk
———————————————————————————————————————

Leave a Reply

Your email address will not be published.