-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2302
             (0Day) Microsoft Internet Explorer display:run-in
            Use-After-Free Remote Code Execution Vulnerability
                              5 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Internet Explorer
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2014-8967  

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-14-403/

Comment: The Zero Day initiative has provided mitigations which are stated in
         the body of their notification.

- --------------------------BEGIN INCLUDED TEXT--------------------

(0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code 
Execution Vulnerability

ZDI-14-403: December 4th, 2014

CVE ID

    CVE-2014-8967

CVSS Score

    6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors

    Microsoft

Affected Products

    Internet Explorer

TippingPoint IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 16284. For further product information on the 
TippingPoint IPS:

    http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Microsoft Internet Explorer. User interaction is 
required to exploit this vulnerability in that the target must visit a 
malicious page or open a malicious file.

The vulnerability relates to how Internet Explorer uses reference counting to
manage the lifetimes of the in-memory objects representing HTML elements 
(CElement objects). By applying a CSS style of display:run-in to a page and 
performing particular manipulations, an attacker can cause an object's 
reference count to fall to zero prematurely, causing the object to be freed. 
Internet Explorer will then continue using this object after it has been 
freed. An attacker can leverage this vulnerability to execute code under the 
context of the current process.

Vendor Response

Microsoft states:

This vulnerability is being disclosed publicly without a patch in accordance 
with the ZDI 120 day deadline.

06/03/2014 - ZDI sent disclosure to the vendor 

06/03/2014 - Vendor acknowledged (vendor provided regular updates) 

11/14/2014 - Vendor notified they will not make 180-days (actual timeline was 
120-days) 

11/19/2014 - ZDI notified of intent to publish 0-day and requested mitigation

- -- Mitigations:

- - In a web-based attack scenario, an attacker could host a specially crafted 
website that is designed to exploit these vulnerabilities through Internet 
Explorer, and then convince a user to view the website. The attacker could 
also take advantage of compromised websites and websites that accept or host 
user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit these vulnerabilities. In all 
cases, however, an attacker would have no way to force users to view the 
attacker-controlled content. Instead, an attacker would have to convince users
to take action, typically by getting them to click a link in an email message
or in an Instant Messenger message that takes users to the attacker's website,
or by getting them to open an attachment sent through email.

- - An attacker who successfully exploited these vulnerabilities could gain the
same user rights as the current user. Users whose accounts are configured to 
have fewer user rights on the system could be less impacted than users who 
operate with administrative user rights.

- - By default, all supported versions of Microsoft Outlook, Microsoft Outlook 
Express, and Windows Mail open HTML email messages in the Restricted sites 
zone. The Restricted sites zone, which disables script and ActiveX controls, 
helps reduce the risk of an attacker being able to use these vulnerabilities 
to execute malicious code. If a user clicks a link in an email message, the 
user could still be vulnerable to exploitation of these vulnerabilities 
through the web-based attack scenario.

- - By default, Internet Explorer on Windows Server 2003, Windows Server 2008, 
Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs 
in a restricted mode that is known as Enhanced Security Configuration. This 
mode mitigates these vulnerabilities. See the FAQ section for these 
vulnerabilities for more information about Internet Explorer Enhanced Security
Configuration.

- - Set Internet security zone settings to "High" to block ActiveX Controls and
Active Scripting in these zones

- - Configure Internet Explorer to prompt before running Active Scripting or to
disable Active Scripting in the Internet and Local intranet security zone

- - Install EMET, The Enhanced Mitigation Experience Toolkit (EMET) enables 
users to manage security mitigation technologies that help make it more 
difficult for attackers to exploit vulnerabilities in a given piece of 
software. EMET helps to mitigate this vulnerability in Internet Explorer on 
systems where EMET is installed and configured to work with Internet Explorer.
For more information about EMET, see The Enhanced Mitigation Experience 
Toolkit.

Disclosure Timeline

    2014-06-03 - Case submitted to the ZDI 
    2014-12-04 - Public release of advisory

Credit This vulnerability was discovered by:

    Arthur Gerkis

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIEi4xLndAQH1ShLAQJTbg//To8Zj7e2yMWt26YypIBUmMtZFb1fVwAf
LrELyYN1bcmZ5wCkfb4n264pUF6IvlhvAgVup6ttesmtNSZHcJI3XB28UexTf8b9
TxD0Iu/SXvKZywvFL9m7LJYyqKZbfhhhO4/W1SP7Rf3iXqlEU66zsEJed3CXImwN
9yie9oLf5lN7JO683p1eisbYo9nHwkFm4LqyQ1rubbsFjMCj7ERLfyvOZ44qzJp0
fvDg6vWKX82rReu32ftssAXXojcXUH1yZiC4QwtwS/tGNQE8b0K66CI2O8zjtHNb
+lJ3DBJ3bGEhhYrqjA4+xz08V/m11V33y1bjyic324GK1eKS/GVFib17Ea6E6KVN
RsANhlimR5CgFZ9coFH70Y6Um2NyX8tciOsLbf12441kLhVBZQBCNKh3JS/vNmG0
Ecop5E5ijbM6SntF66LmlXGt9HiJtV7KGfkht1NuV8jvcR/7aKBTICOZU26awlTP
T/JLiQ3AWnm5nik1/Zpp3CfoRCh0oprfRPpx0XcAGi7R7kBjRDoz1QCNuHs9vNMd
pq4fkl+qoEecOMwblKGPOAaZx6uWTspd3QqlmTle0xYBuT/d2lkry9PNHEHvmggU
0Eav/Hqxu6ror2mJkORm2Yi3MQGLqHisArxtaS+bO1G201ZJ+lgudDXwJAcjhWW5
EuUxODRnkdY=
=63p/
-----END PGP SIGNATURE-----