Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Internet Explorer 8 Security Vulnerability Disclosed

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.

The bug was discovered by Peter ‘corelanc0d3r’ Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days. 

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” according to ZDI’s advisory. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”

“The specific flaw exists within the handling of CMarkup objects,” ZDI continues. “The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability was found on IE 8 running Windows XP and Windows 7.

In a statement, Microsoft said it is aware of the issue but does not believe it has been used in attacks. 

“We continue working to address this issue and will release a security update when ready in order to help protect customers,” according to the company. 

The company suggested that users upgrade to the latest versions of Windows and Internet Explorer. 

Advertisement. Scroll to continue reading.

According to ZDI’s advisory, there are a number of mitigating factors and actions that can limit the impact of the latest bug while users wait on a patch from Microsoft. Among them is that while the attacker could host a malicious website decided to exploit the vulnerability, the user would have to be successfully lured into going there. Another mitigation is that users whose systems are configured with minimal user rights would be less impacted than those running with administrative rights.

In addition, all email messages opened up in Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the ‘Restricted Sites’ zone by default, thereby disabling script and ActiveX controls and reduces the risk of a successful attack. Users can also change their Internet security zone settings to ‘High’ to block ActiveX controls and active scripting or prompt the browser to do so, ZDI advises. 

*This story was updated with additional commentary. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.