Microsoft fails to address IE zero day before public disclosure

Though notified of the IE zero day months ago, Microsoft failed to address the vulnerability before it was made public.

An Internet Explorer zero-day vulnerability that was originally discovered in October 2013 was made public today after Microsoft failed to address the issue in what researchers say was a reasonable amount of time.

According to an advisory issued by HP's Zero-Day Initiative (ZDI) -- the group of researchers behind the Pwn2Own hacking competition -- the Internet Explorer (IE) zero-day only affects version 8 of Microsoft's Web browser. The use-after-free vulnerability arises when the browser is handling CMarkup objects.

While this vulnerability only affects IE 8, a separate use-after-free flaw in the same library was disclosed in February of this year which allowed attackers to gain local access rights through version 10 of the browser. In that case, Microsoft issued a "fix it" utility prior to public notice of the vulnerability.

The current flaw can be triggered by luring a victim to a malicious website, and if successful, an attacker could remotely execute arbitrary code on a vulnerable machine and gain the same access rights as the current user. The severity of the vulnerability -- it is ranked as a 6.8 according to the common vulnerability scoring system -- is tempered by the need for user interaction.

"In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action," said the ZDI advisory, "typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email."

ZDI said it first disclosed the IE zero-day, CVE-2014-1770, to Microsoft in October 2013 after it was unearthed by Belgian security researcher Peter Van Eeckhoutte, and Microsoft then confirmed the issue in February 2014. ZDI typically provides vendors with 180 days to address vulnerabilities before they are disclosed to the public, meaning Microsoft had until April to patch the flaw.

In this case, Microsoft was actually given another chance in early May to address the issue, but again failed to heed ZDI's warnings that a public disclosure was imminent. Microsoft's security team has had its hands full in recent months -- the company was forced to release an out-of-band patch for another IE zero-day earlier this month which notably included a fix for the now unsupported XP operating system.

The ZDI advisory provided a number of potential mitigation techniques for the IE zero-day, including setting IE's security zone settings to "high" or configuring the browser to issue a prompt before running Active Scripting. Perhaps the easiest answer to the problem is to install and run Microsoft's Enhanced Mitigation Experience Toolkit, which the Redmond, Washington-based software giant frequently looks toward for the mitigation of zero-day vulnerabilities until a patch can be released.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close