Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ky331

3 Apprentice

 • 

15.3K Posts

10618

May 23rd, 2014 05:00

UNpatched IE8 0-day CMarkup Use-After-Free Vulnerability

The following has been copied/pasted from http://secunia.com/advisories/58768/  (which, while still free, now requires a user to log-in to their site in order to view):

Description


A [highly critical] vulnerability has been reported in Microsoft Internet Explorer [ 8 ], which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a use-after-free error when handling CMarkup objects, which can be exploited to cause memory corruption.

Successful exploitation may allow execution of arbitrary code [by remote attackers.  Note:  User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file].

Solution:
No official solution is currently available.

Original Advisory:
ZDI:   http://www.zerodayinitiative.com/advisories/ZDI-14-140/

=================================================

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1770

=================================================

EMET helps to mitigate this vulnerability ---

but there was no indication as to which versions of EMET are needed here ---
I would speculate that 4.x SHOULD work... but what about 3.x (or 2.x) ???....

nor which of EMET's mitigations must be enabled (4.x includes new mitigations

not previously available in EMET... but most of these are not XP-accessible).

joe53

2 Intern

 • 

5.8K Posts

May 23rd, 2014 06:00

I suspect this is the IE8 zero day vulnerability discovered last October, but just recently revealed. I doubt MS has any intention of patching it. IE8 users are forewarned!

https://threatpost.com/another-internet-explorer-zero-day-surfaces/106223

ky331

3 Apprentice

 • 

15.3K Posts

June 8th, 2014 17:00

Microsoft announced it will include a fix for this vulnerability as part of its monthly IE update on Tuesday, 10 June.

EDIT:   The fix was included as part of MS14-035

HOWEVER, we would NOT expect them to release an XP version.

View More

View All

No Events found!

Top