Share this article on:
Four “new” Internet Explorer vulnerabilities have been announced this week. The announcement did not come from Microsoft; security researchers revealed the flaw because Microsoft has been too slow to address the issue. A patch has still not been released to address the security flaws even though Microsoft was made aware of the problems more than that seven months ago.
The announcement came via Hewlett-Packard’s Zero Day Initiative (ZDI) program, which pays security professionals to identify software flaws that could potentially be used by hackers to gain access to computers, or infect them with malware.
The ZDI team announces security flaws that have not been addressed by software developers in a reasonable time-frame: 120 days from the date of discovery of a vulnerability. Since this time-frame has been exceeded, ZDI researchers have now released limited details of the issues to the public.
The ZDI team only issues partial information on the location and nature of the security flaws, and does not disclose information that would tip off hackers and allow them to take advantage of the flaw.
This time around that proved to be the case with only three of the four vulnerabilities. One however, has had much more detailed information released and it is not just a theoretical entry point for hackers; it has been proven that it can be used to infect a host computer.
Internet Explorer Vulnerability Proven as an Entry Point for Hackers
In November last year, ZDI ran a Mobile Pwn2Own hacking contest in which hackers were provided with details of security flaws and are invited to try to exploit them. The Internet Explorer flaw – affecting the CTableLayout::AddRow() function – was successfully exploited by one hacker, Nicolas Joly, in the contest.
The vulnerability allows hackers to force IE to use memory past the end of an array of HTML cells. According to ZDI, hackers could potentially “leverage this vulnerability to execute code under the context of the current process.”
The information gathered during the contest is shared with software providers, but in this case the issue has yet to be addressed by Microsoft. ZDI alerted Microsoft to the issue on December 11, 2014. Microsoft responded and asked for an extension to the deadline to allow it to deal with the issue and two similar vulnerabilities. A request was made to delay the announcement until July 19, 2015 to allow Microsoft time to develop a patch.
ZDI agreed to issue an extension and delayed the announcement until May 12, 2015, but when it became clear that the deadline could not be met, ZDI decided to honor the original request. Before the vulnerability was finally announced, ZDI contacted Microsoft for an update on the issue and was advised that a build was expected, but no date was provided when that build would be made available. As a result, the flaw was announced.
How the Internet Explorer Security Flaw can be Exploited
While the flaw could potentially be exploited, it would require some user input. The user would need to be convinced to visit an infected webpage. As pointed out by ZDI, this could be achieved “by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”
Unfortunately for users, hackers can be particularly convincing in this regard. Over the past 12 months, numerous data breaches have been caused as a result of workers falling for a phishing or spear phishing campaign.
There is a simple way of mitigating risk until a patch is issued to fix the flaw. ZDI recommends users “configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.” Alternatively, a more secure browser could be used.