CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Internet Explorer 8 Security Vulnerability Disclosed

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.

The bug was discovered by Peter ‘corelanc0d3r’ Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days. 

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” according to ZDI’s advisory. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”

“The specific flaw exists within the handling of CMarkup objects,” ZDI continues. “The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability was found on IE 8 running Windows XP and Windows 7.

In a statement, Microsoft said it is aware of the issue but does not believe it has been used in attacks. 

“We continue working to address this issue and will release a security update when ready in order to help protect customers,” according to the company. 

The company suggested that users upgrade to the latest versions of Windows and Internet Explorer. 

Advertisement. Scroll to continue reading.

According to ZDI’s advisory, there are a number of mitigating factors and actions that can limit the impact of the latest bug while users wait on a patch from Microsoft. Among them is that while the attacker could host a malicious website decided to exploit the vulnerability, the user would have to be successfully lured into going there. Another mitigation is that users whose systems are configured with minimal user rights would be less impacted than those running with administrative rights.

In addition, all email messages opened up in Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the ‘Restricted Sites’ zone by default, thereby disabling script and ActiveX controls and reduces the risk of a successful attack. Users can also change their Internet security zone settings to ‘High’ to block ActiveX controls and active scripting or prompt the browser to do so, ZDI advises. 

*This story was updated with additional commentary. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.