Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2302 (0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code Execution Vulnerability 5 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Internet Explorer Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Mitigation CVE Names: CVE-2014-8967 Original Bulletin: http://www.zerodayinitiative.com/advisories/ZDI-14-403/ Comment: The Zero Day initiative has provided mitigations which are stated in the body of their notification. - --------------------------BEGIN INCLUDED TEXT-------------------- (0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code Execution Vulnerability ZDI-14-403: December 4th, 2014 CVE ID CVE-2014-8967 CVSS Score 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected Vendors Microsoft Affected Products Internet Explorer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 16284. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The vulnerability relates to how Internet Explorer uses reference counting to manage the lifetimes of the in-memory objects representing HTML elements (CElement objects). By applying a CSS style of display:run-in to a page and performing particular manipulations, an attacker can cause an object's reference count to fall to zero prematurely, causing the object to be freed. Internet Explorer will then continue using this object after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Vendor Response Microsoft states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 06/03/2014 - ZDI sent disclosure to the vendor 06/03/2014 - Vendor acknowledged (vendor provided regular updates) 11/14/2014 - Vendor notified they will not make 180-days (actual timeline was 120-days) 11/19/2014 - ZDI notified of intent to publish 0-day and requested mitigation - -- Mitigations: - - In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email. - - An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - - By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of these vulnerabilities through the web-based attack scenario. - - By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates these vulnerabilities. See the FAQ section for these vulnerabilities for more information about Internet Explorer Enhanced Security Configuration. - - Set Internet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones - - Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone - - Install EMET, The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer. For more information about EMET, see The Enhanced Mitigation Experience Toolkit. Disclosure Timeline 2014-06-03 - Case submitted to the ZDI 2014-12-04 - Public release of advisory Credit This vulnerability was discovered by: Arthur Gerkis - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVIEi4xLndAQH1ShLAQJTbg//To8Zj7e2yMWt26YypIBUmMtZFb1fVwAf LrELyYN1bcmZ5wCkfb4n264pUF6IvlhvAgVup6ttesmtNSZHcJI3XB28UexTf8b9 TxD0Iu/SXvKZywvFL9m7LJYyqKZbfhhhO4/W1SP7Rf3iXqlEU66zsEJed3CXImwN 9yie9oLf5lN7JO683p1eisbYo9nHwkFm4LqyQ1rubbsFjMCj7ERLfyvOZ44qzJp0 fvDg6vWKX82rReu32ftssAXXojcXUH1yZiC4QwtwS/tGNQE8b0K66CI2O8zjtHNb +lJ3DBJ3bGEhhYrqjA4+xz08V/m11V33y1bjyic324GK1eKS/GVFib17Ea6E6KVN RsANhlimR5CgFZ9coFH70Y6Um2NyX8tciOsLbf12441kLhVBZQBCNKh3JS/vNmG0 Ecop5E5ijbM6SntF66LmlXGt9HiJtV7KGfkht1NuV8jvcR/7aKBTICOZU26awlTP T/JLiQ3AWnm5nik1/Zpp3CfoRCh0oprfRPpx0XcAGi7R7kBjRDoz1QCNuHs9vNMd pq4fkl+qoEecOMwblKGPOAaZx6uWTspd3QqlmTle0xYBuT/d2lkry9PNHEHvmggU 0Eav/Hqxu6ror2mJkORm2Yi3MQGLqHisArxtaS+bO1G201ZJ+lgudDXwJAcjhWW5 EuUxODRnkdY= =63p/ -----END PGP SIGNATURE-----