Mobile IE Zero Days

Friday, July 24, 2015 @ 04:07 PM gHale

Microsoft patched four remote code execution vulnerabilities Internet Explorer, but the flaws remain unpatched in IE’s mobile version.

These Zero Day flaws became public in accordance with HP’s Zero-Day Initiative’s (ZDI) 120-day disclosure deadline. In reality, Microsoft received over half a year to patch the bugs.

Microsoft Fixes New Windows Zero Day
Microsoft Patches Zero Day Holes
Flash Zero Days Abound
Espionage Group Leverages Flash Zero Day

Unbeknownst to ZDI and most everyone else, Microsoft patched the vulnerabilities in the desktop version of Internet Explorer July 8, 2014 (MS14-037) and on March 10, 2015 (MS15-018).

In its release, ZDI did not share many technical details on these security holes to prevent abuse.

One of the security bugs, an out-of-bounds memory access issue, ended up reported to Microsoft by researcher Nicolas Joly at HP’s Mobile Pwn2Own competition in November 2014. The vulnerability, related to how Internet Explorer processes arrays representing cells in HTML tables, can end up exploited by a remote attacker to execute arbitrary code.

ZDI said the vulnerability also affects IE on Windows Phone. Joly targeted the Lumia 1520 phone at the Mobile Pwn2Own hacking competition.

Microsoft initially received a May 12 deadline, but then it extended to July 19 at the vendor’s request. Since the company failed to meet this deadline, ZDI decided to inform users of the flaw.

The other three Zero Days affecting Internet Explorer are use-after-free issues discovered by ZDI researcher AbdulAziz Hariri and reported to Microsoft in January 2015.

These vulnerabilities link to the handling of CCurrentStyle, CAttrArray and CTreePos objects.

“By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” ZDI said in its advisories for the vulnerabilities found by Hariri.

Microsoft requested an extension of the disclosure deadline until July 19 for these bugs as well, but the company missed the patch deadline.

Mitigation advice for these vulnerabilities from ZDI includes configuring Internet Explorer to prompt before running Active Scripting, or disabling the feature in the Internet and Local Intranet security zones.