The Inquirer-Home

Microsoft: Upgrade to Windows 8 to dodge unpatched IE zero-day flaw

Uses an overlooked IE security bug as an excuse to get users to migrate
Fri May 23 2014, 10:47

Microsoft Internet ExplorerMICROSOFT HAS URGED Internet Explorer (IE) users to upgrade their operating systems to dodge the overlooked zero-day security vulnerability that was found but not patched in version eight of the web browser seven months ago.

The IE 8 critical zero-day flaw has gone unfixed since last October, a report from the Zero-Day Initiative (ZDI) revealed on wednesday.

When we chased Microsoft for a comment regarding the news, a spokesperson said the Redmond firm knew about the flaw but had "not detected" incidents affecting its customers... yet.

"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations," the spokesperson said, adding that the firm is working to address the issue and will release a security update "when ready".

"We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections," the statement concluded, suggesting that users should upgrade to bypass the IE 8 issue.

The vulnerability, named CVE-2014-1770, was discovered by Peter "corelanc0d3r" Van Eeckhoutte on 11 October 2013 and wasn't publicly reported until this week.

The ZDI is an initiative that rewards security researchers for disclosing vulnerabilities. The bug was not previously reported because ZDI's policy is to disclose zero-day flaws that go unfixed for more than 180 days.

The vulnerability means that in a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through IE, and then lure users to view the website.

"This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer," ZDI said on its vulnerability details webpage. "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."

ZDI said that the flaw exists in the handling of "CMarkup objects" and the allocation initially happens within the "CMarkup::CreateInitialMarkup" code.

"The free happens after the execution of certain Javascript code followed by a CollectGarbage call," ZDI explained. "By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process," it added.

"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user," Eeckhoutte said.

However, Kaspersky security researcher Marta Janus doesn't think Microsoft had an excuse to not patch it.

"Not having identified any malware in the wild that exploits this vulnerability is a poor excuse for not patching it. The fact that, as of yet, no attacks have been discovered doesn't necessarily mean that there haven't been any at all," Janus said. "In today's world of surgical, targeted attacks there is no way to keep track of all security breaches occurring around the world, and plenty of incidents remain undetected for a long time. However, even if we assume that such a vulnerability hasn't yet been exploited, that doesn't mean that it won't be in the future."

Kaspersky believes that after a public disclosure of an unpatched vulnerability like this one, cybercriminals will suddenly begin to take an interest.

"Microsoft's position on the case of the IE8 vulnerability seems surprisingly irresponsible. Of course, there are some flaws that are far more difficult to patch than others and sometimes it requires time and resources that would be better spent on fixing issues in more current versions of a product. But following the disclosure, IE8 users are actually far more likely to be at risk," Janus added. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015