Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages.
The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP’s Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn’t produced a patch.
The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI’s advisory says that an attacker can take advantage of it to run arbitrary code.
“The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” the ZDI advisory says.
Microsoft officials have not issued an advisory about the vulnerability yet, but ZDI’s advisory says that installing the EMET toolkit, which includes exploit mitigations, is a viable method for mitigating the seriousness of the flaw. The bug was discovered by Peter Van Eeckhoutte of Corelan, a security research team.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements,” the ZDI advisory says.
“These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”
This is the second zero day disclosed in IE in the last couple of months. In April, researchers observed attackers using the CVE-2014-1776 IE zero day in targeted attacks. Microsoft later issued an emergency out-of-band patch for that vulnerability.