Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages.

The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP’s Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn’t produced a patch.

The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI’s advisory says that an attacker can take advantage of it to run arbitrary code.

“The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” the ZDI advisory says.

Microsoft officials have not issued an advisory about the vulnerability yet

Microsoft officials have not issued an advisory about the vulnerability yet, but ZDI’s advisory says that installing the EMET toolkit, which includes exploit mitigations, is a viable method for mitigating the seriousness of the flaw. The bug was discovered by Peter Van Eeckhoutte of Corelan, a security research team.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements,” the ZDI advisory says.

“These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”

This is the second zero day disclosed in IE in the last couple of months. In April, researchers observed attackers using the CVE-2014-1776 IE zero day in targeted attacks. Microsoft later issued an emergency out-of-band patch for that vulnerability.

Categories: Microsoft, Vulnerabilities, Web Security

Comments (7)

    • Brian Donohue

      A zero-day is a vulnerability for which the affected vendor has not yet generated a patch.

      • Phil Hibbs

        I thought that was an “unpatched vulnerability”. So if they release a patch today, then tomorrow it becomes a “1-day vulnerability”, then “2-day” etc.? The number just indicates how long it has been since the patch was released?

  1. Radoslav Dejanović

    Actually, there are not really 1-day, 2-day or n-day vulnerabilities. It is either zero-day vulnerablity (which means that there’s no fix for it at the time of disclosure) or an “ordinary” vulnerability (that has already been patched at the time of the advisory).

    This is because there are only two ways a vulnerability can be disclosed: before it is patched and after it is patched. Security researchers usually work together with the person or company responsible for the code in such a way that researchers give all relevant information about the vulnerability to the company and they mutually agree that they will keep it a secret until the company can fix the issue and deploy fixed software to all affected clients; only then researchers make the announcement public. As you can see, in that case there’s very little to no danger from the disclosure because the error has already been corrected and the software isn’t vulnerable anymore (and researchers get their due credit).

    This situation, however, is one of the rare occasions where company (MS) choose not to act on information given to them by researchers (HP) – in such cases it is common for researchers to go public with the information even if the company didn’t fix the vulnerability.

    In this case Microsoft has been told about the issue, but didn’t care. Six months later, HP decided to go for a disclosure.

    The only reason why this is a zero-day vulnerablity (and not an “ordinary” one) is because MS didn’t care to fix it.

  2. Upton

    A zero day bug is one that has been present in the code since the very beginning (e.g. of a release, development cycle, or very first submission to source control). When a developer says “It’s a zero day bug” it means the problem was there long before he made any changes and its not his fault.

Comments are closed.