Microsoft issues the patch for the debated IE critical vulnerabilities

Pierluigi Paganini June 06, 2014

Microsoft has announced the official patch for the critical vulnerability discovered recently in the Internet Explorer.

Microsoft has published the “Microsoft Security Bulletin Advance Notification for June 2014” in which are released seven security Bulletins addressing different vulnerabilities in the company’s products.

The notification includes two critical Remote Code Execution vulnerabilities affecting the products Microsoft Windows, Internet Explorer, MS Office and Lync, the remaining flaw are classified as “Important”.

Microsoft announced that the update will be released this Tuesday, my readers remember that the critical vulnerability in the Internet Explored was disclosed in May and raised numerous controversy within the IT community. According many sources, Microsoft had kept hidden the flaw since October 2013, this means that in this period users were exposed to the cyber threats able to exploit the flaw in the popular browser.

The curious thing is that after six months of silence of Microsoft, probably attributable to a difficulty to fix the bug, the company has completed the development of a patch in just 3 weeks (more or less).

As suggested by Microsoft the critical Bulletins (ID 1 and ID2) must be immediately fixed, the first one will address a the Remote Code Execution vulnerability affecting all versions of Internet Explorer.


Microsoft Security Advisor vulnerablity


The vulnerability reported in the Bulletin 1 is considered the most critical vulnerability, all server versions of Windows are affected by this vulnerability, but with a low severity rate.

 As reported by Mitre the vulnerability CVE-2014-1770 in Microsoft Internet Explorer 8 “allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.” 

The vulnerability in Microsoft Internet Explorer 8 is a remote code execution and could allow an attacker to remotely execute arbitrary code through a bug in CMarkup objects as explained on ZDI (Zero Day Initiative). ZDI has reported the flaw to Microsoft on 10/11/2013 but the company confirmed reproduction only on 02/10/2014, but it hasn’t issued any patch neither it has informed its customers.

In a typical attack scenario, a hacker just have to deploy a malicious content on a compromised websites and persuade victims to visit it, for example though a spear phishing attack.

According disclosure policy, after 180 days from notification of the flaw ZDI obliges it to publicly disclose the details of a flaw. Microsoft, despite was informed many times of the disclosure policy by ZDI didn’t respond to it.

Also the second Bulletin is related to a critical Remote Code Execution vulnerabilities in Windows and Office products affecting all versions of Windows including Server Core, Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, excluding the Lync Server.

Pierluigi Paganini

(Security Affairs –  Microsoft, remote code execution vulnerability)

you might also like

leave a comment