Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Internet Explorer 8 Security Vulnerability Disclosed

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.

Hewlett Packard’s Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code.

The bug was discovered by Peter ‘corelanc0d3r’ Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days. 

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” according to ZDI’s advisory. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”

“The specific flaw exists within the handling of CMarkup objects,” ZDI continues. “The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability was found on IE 8 running Windows XP and Windows 7.

In a statement, Microsoft said it is aware of the issue but does not believe it has been used in attacks. 

“We continue working to address this issue and will release a security update when ready in order to help protect customers,” according to the company. 

The company suggested that users upgrade to the latest versions of Windows and Internet Explorer. 

According to ZDI’s advisory, there are a number of mitigating factors and actions that can limit the impact of the latest bug while users wait on a patch from Microsoft. Among them is that while the attacker could host a malicious website decided to exploit the vulnerability, the user would have to be successfully lured into going there. Another mitigation is that users whose systems are configured with minimal user rights would be less impacted than those running with administrative rights.

In addition, all email messages opened up in Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the ‘Restricted Sites’ zone by default, thereby disabling script and ActiveX controls and reduces the risk of a successful attack. Users can also change their Internet security zone settings to ‘High’ to block ActiveX controls and active scripting or prompt the browser to do so, ZDI advises. 

*This story was updated with additional commentary. 

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.