Four Zero Day Vulnerabilities Discovered in Internet Explorer!
Hewlett-Packard’s Zero Day Initiative greeted Microsoft today with not one but four zero day vulnerabilities located in Internet Explorer, allowing hackers to remotely execute a malicious code on target machine. At first it was thought that these vulnerabilities would affect only desktop version of Microsoft’s very own web browser, however later it was reported that even mobile versions are vulnerable.
Each vulnerability exploits different parts of the browser and are remotely exploitable with typical drive-by attacks. Below are details about discovered vulnerabilities in IE:
ZDI-15-359: AddRow Out-Of-Bounds Memory Access Vulnerability
ZDI-15-360: Use-After-Free Remote Code Execution Vulnerability
ZDI-15-361: Use-After-Free Remote Code Execution Vulnerability
ZDI-15-362: Use-After-Free Remote Code Execution Vulnerability
All of them are important discoveries however ZDI-15-359 is the most critical, since it relates to how IE processes arrays representing cells in HTML Tables. Hacker can force IE to use the memory past the end of an array of HTML cells by altering elements of the document itself. This allows attack to execute code under the context of the current process.
Vulnerability described in ZDI-15-360 allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of CAttrArray objects. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.
Microsoft has fixed all the four zero-day vulnerabilities in the desktop version of its browser, but the flaws remain open on Internet Explorer Mobile.
HP’s Zero Day Initiative does not slack with its 120-day disclosure policy. It notified Microsoft of the first zero-day flaw on November 12, 2014, and extended the disclosure deadline to May 12, 2015, then again to July 19. However, with no patch forthcoming, ZDI went public on July 22.