BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Internet Explorer Use-After-Free

Disclosed April 26, 2014    Fully Patched

Vulnerability Description:

FireEye recently identified a previously unknown use-after-free vulnerability, used in limited attacks in the wild, affecting all supported versions of Internet Explorer, and Internet Explorer 6. The attack uses a well-known Flash exploit to help bypass ASLR and DEP, but may be mitigated by EMET. Additionally, the attack only targets IE9 through IE11.

Vendors:

Microsoft

Vulnerable Software/Devices:

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Internet Explorer 10
Internet Explorer 11

Vulnerability Severity:

High

Exploit Availability:

Privately Available

Exploit Impact:

Remote Code Execution
Internet Explorer contains a vulnerability whereby a specially crafted webpage may trigger a memory corruption. This memory corruption is caused by Internet Explorer mishandling certain objects in memory, which may be used after they are deleted. This can leveraged by an attacker to arbitrarily execute code within the context of the currently logged on user.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability, as well as associated vulnerabilities in Flash player.

  • 33939 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE6 XP32
  • 33940 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE6 XP64/2K3/2K364
  • 33941 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE6 XP64/2K364 x64
  • 33942 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE7
  • 33943 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE7 x64
  • 33944 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE8 XP/2003
  • 33945 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE8 XP/2003 x64
  • 33946 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE8
  • 33947 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE8 x64
  • 33948 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE9
  • 33949 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE9 x64
  • 33950 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE10
  • 33951 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE10 x64
  • 33952 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE11
  • 33953 – Microsoft Internet Explorer Use-After-Free (KB2965111) – IE11 x64
  • 33877 – Adobe APSB14-13: Flash Player – IE for Windows XP/2003/Vista/2008/7
  • 33878 – Adobe APSB14-13: Flash Player – IE for Windows 8/2012/8.1/2012 R2
  • 33879 – Adobe APSB14-13: Flash Player – Other Browsers for Windows
  • 33880 – Adobe APSB14-13: Flash Player – Linux
  • 33881 – Adobe APSB14-13: Flash Player – Mac OS X

Mitigation:

EMET has been confirmed by Microsoft to mitigate exploitation of this vulnerability. Additionally, because this exploit requires Adobe Flash to successfully execute, removing or disabling Flash in Internet Explorer will mitigate exploitation. Lastly, Enhanced Protection Mode in Internet Explorer was seen to be effective at mitigating exploitation of this vulnerability, as tested by FireEye. 

Links:

CVE(s):