Unsolved
This post is more than 5 years old
3 Apprentice
•
15.3K Posts
0
10618
UNpatched IE8 0-day CMarkup Use-After-Free Vulnerability
The following has been copied/pasted from http://secunia.com/advisories/58768/ (which, while still free, now requires a user to log-in to their site in order to view):
Description
A [highly critical] vulnerability has been reported in Microsoft Internet Explorer [ 8 ], which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a use-after-free error when handling CMarkup objects, which can be exploited to cause memory corruption.
Successful exploitation may allow execution of arbitrary code [by remote attackers. Note: User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file].
Solution:
No official solution is currently available.
Original Advisory:
ZDI: http://www.zerodayinitiative.com/advisories/ZDI-14-140/
=================================================
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1770
=================================================
EMET helps to mitigate this vulnerability ---
but there was no indication as to which versions of EMET are needed here ---
I would speculate that 4.x SHOULD work... but what about 3.x (or 2.x) ???....
nor which of EMET's mitigations must be enabled (4.x includes new mitigations
not previously available in EMET... but most of these are not XP-accessible).
joe53
2 Intern
2 Intern
•
5.8K Posts
0
May 23rd, 2014 06:00
I suspect this is the IE8 zero day vulnerability discovered last October, but just recently revealed. I doubt MS has any intention of patching it. IE8 users are forewarned!
https://threatpost.com/another-internet-explorer-zero-day-surfaces/106223
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
June 8th, 2014 17:00
Microsoft announced it will include a fix for this vulnerability as part of its monthly IE update on Tuesday, 10 June.
EDIT: The fix was included as part of MS14-035
HOWEVER, we would NOT expect them to release an XP version.