Oh Microsoft, How could you do this to your own Internet Explorer? Microsoft had kept hidden a critical Zero-Day vulnerability of Internet explorer 8 from all of us, since October 2013.
A Critical zero-day Internet Explorer vulnerability (CVE-2014-1770), which was discovered by Peter 'corelanc0d3r' Van Eeckhoutte in October 2013 just goes public today by the Zero Day Initiative (ZDI) website.
Zero Day Initiative is a program for rewarding security researchers for responsibly disclosing vulnerabilities. ZDI reportedly disclosed the vulnerability to Microsoft when it was first identified by one of its researchers, on which Microsoft responded 4 month later on February 2014 and confirmed the flaw, but neither the Microsoft patch the vulnerability nor it disclosed any details about it.
But due to ZDI’s 180 days public notification policy, they are obligated to publicly disclosed the details of a Zero-Day vulnerability. ZDI warned Microsoft several days ago about the pending public disclosure of the flaw after it completed 180 days as on April, but apparently Microsoft didn’t respond to it.
According to the ZDI Security Advisory, the vulnerability is a zero day remote code execution flaw that affects the Internet Explorer version 8 and allows a remote attacker to execute arbitrary code through a bug in CMarkup objects.
In a web-based attack scenario, an attacker could leverage the Vulnerability through compromise websites and by clicking on email attachments. To perform successful web-based attacks, an attacker can host specially crafted content on the compromised websites that could trigger the reported vulnerability.
“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email,” reads the ZDI post.
By successful exploitation of the flaw, an attacker could gain the same user rights as the current user on the compromised system and victim ‘users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’
If you are using Microsoft Outlook, Microsoft Outlook Express, or Windows Mail to open HTML emails, then it automatically disables the Script and ActiveX controls, that helps reduce the risk of an attacker being able to use these vulnerabilities to execute malicious code.
But once the user clicks any malicious link attached with the email messages, he or she would fall victim for the exploitation of these vulnerabilities through the web-based attacks.
Moreover, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 users should not worry if they have Enhanced Security Configuration enabled on their Internet Explorer, because this mode mitigates these vulnerabilities.
The vulnerability has not been addressed by Microsoft and no patch is available yet for this critical zero day vulnerability, so Internet Explorer user are still vulnerable to the zero-day attack.
You are advised to block ActiveX Controls and Active Scripting and also install EMET (Enhanced Mitigation Experience Toolkit), that enable you to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software.
Just few days back, a similar remote code execution vulnerability in the Internet Explorer that affected almost all the versions of IE was reported by the security firm FireEye.