The Hewlett-Packard's Zero-Day Initiative (ZDI) has disclosed four new zero-day vulnerabilities in Microsoft's Internet Explorer browser that could be exploited to remotely execute malicious code on victim's machine.
All the four zero-days originally were reported to Microsoft, affecting Internet Explorer on the desktop. However, later it was discovered that the zero-day vulnerabilities affected Internet Explorer Mobile on Windows Phones as well.
Each of the four zero-day flaws affects different components of the browser, and all are remotely exploitable through typical drive-by attacks.
Four Zero-day vulnerabilities Disclosed by ZDI
Here are the zero-day vulnerabilities, as reported by ZDI:
- ZDI-15-359: AddRow Out-Of-Bounds Memory Access Vulnerability
- ZDI-15-360: Use-After-Free Remote Code Execution Vulnerability
- ZDI-15-361: Use-After-Free Remote Code Execution Vulnerability
- ZDI-15-362: Use-After-Free Remote Code Execution Vulnerability
The most critical vulnerability out of the four bugs is the AddRow Out-Of-Bounds Memory Access flaw that affects the way Internet Explorer handles some specific arrays.
"The vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables," says the advisory issued by the Zero Day Initiative. "By manipulating a document’s elements an attacker can force the Internet Explorer (IE) to use memory past the end of an array of HTML cells. An attacker can leverage this vulnerability to execute code under the context of the current process."
Another vulnerability the company disclosed is a bug in how Internet Explorer handles CAttrArray objects. The vulnerability could allow an attacker to manipulate a document's elements in an attempt to force a free dangling pointer to be reused, leveraging the attacker to execute malicious code on victim's machine.
The two other zero-days are similar as they involve Internet Explorer mishandling CTreePos and CCurrentStyle objects in some circumstances. This leads to a dangling pointer that a remote attacker can reuse, allowing them to execute arbitrary code on the vulnerable machine.
Microsoft has fixed all the four zero-day vulnerabilities in the desktop version of its browser, but the flaws remain open on Internet Explorer Mobile.
HP's Zero Day Initiative does not slack with its 120-day disclosure policy. It notified Microsoft of the first zero-day flaw on November 12, 2014, and extended the disclosure deadline to May 12, 2015, then again to July 19. However, with no patch forthcoming, ZDI went public on July 22.