Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.
The bug was discovered by Peter ‘corelanc0d3r’ Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days.
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” according to ZDI’s advisory. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
“The specific flaw exists within the handling of CMarkup objects,” ZDI continues. “The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”
The vulnerability was found on IE 8 running Windows XP and Windows 7.
In a statement, Microsoft said it is aware of the issue but does not believe it has been used in attacks.
“We continue working to address this issue and will release a security update when ready in order to help protect customers,” according to the company.
The company suggested that users upgrade to the latest versions of Windows and Internet Explorer.
According to ZDI’s advisory, there are a number of mitigating factors and actions that can limit the impact of the latest bug while users wait on a patch from Microsoft. Among them is that while the attacker could host a malicious website decided to exploit the vulnerability, the user would have to be successfully lured into going there. Another mitigation is that users whose systems are configured with minimal user rights would be less impacted than those running with administrative rights.
In addition, all email messages opened up in Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the ‘Restricted Sites’ zone by default, thereby disabling script and ActiveX controls and reduces the risk of a successful attack. Users can also change their Internet security zone settings to ‘High’ to block ActiveX controls and active scripting or prompt the browser to do so, ZDI advises.
*This story was updated with additional commentary.