HP’s Zero-Day Initiative (ZDI) has disclosed four unpatched remote code execution vulnerabilities affecting Microsoft’s Internet Explorer web browser.
ZDI said it revealed the existence of the zero-day flaws in accordance with its 120-day disclosure deadline. In reality, Microsoft was given well over half a year to patch the bugs, but the company failed to do so.
ZDI has not shared too many technical details on these security holes to prevent abuse.
One of the security bugs, an out-of-bounds memory access issue, was reported to Microsoft by the researcher Nicolas Joly at HP’s Mobile Pwn2Own competition in November 2014. The vulnerability, related to how Internet Explorer processes arrays representing cells in HTML tables, can be exploited by a remote attacker to execute arbitrary code.
ZDI has pointed out that the vulnerability also affects IE on Windows Phone, which is not surprising considering that Joly targeted the Lumia 1520 phone at the Mobile Pwn2Own hacking competition.
In order for the attack to work, the attacker must trick the victim into opening a webpage or file designed to force the browser to use memory past the end of an array of HTML cells.
Microsoft was initially given a May 12, 2015 deadline, but this deadline was extended to July 19 at the vendor’s request. Since the company failed to meet this deadline, ZDI has decided to inform users of the existence of this flaw.
The other three RCE zero-days affecting Internet Explorer are use-after-free issues discovered by ZDI researcher AbdulAziz Hariri and reported to Microsoft in January 2015.
These vulnerabilities are related to the handling of CCurrentStyle, CAttrArray and CTreePos objects.
“By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” ZDI noted in its advisories for the vulnerabilities found by Hariri.
Microsoft requested an extension of the disclosure deadline until July 19 for these bugs as well, but the company missed the patch deadline.
Mitigation advice for these vulnerabilities from ZDI includes configuring Internet Explorer to prompt before running Active Scripting, or disabling the feature in the Internet and Local Intranet security zones.
“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities as details are sparse,” Qualys CTO Wolfgang Kandek commented on the disclosure of the zero-days. “There is not much you can do at the moment, except refrain from using Internet Explorer.”
This is not the first time a company has disclosed the existence of zero-day bugs affecting Microsoft products. Last year, HP released information on a flaw affecting Internet Explorer 8. In late 2014 and early 2015, Google disclosed three unpatched Windows vulnerabilities in accordance with its 90-day disclosure deadline.
UPDATE. The vulnerabilities have been patched by Microsoft in the desktop version of Internet Explorer on July 8, 2014 (MS14-037) and on March 10, 2015 (MS15-018).
ZDI has updated its advisories to clarify that the unpatched flaws actually affect the mobile version of Internet Explorer.
“We’re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers.” a Microsoft spokesperson told SecurityWeek.
