|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft Internet Explorer
Original Issue Date:October 15, 2014
Severity Rating: HIGH
- Windows Server 2003 SP2, x64 Edition SP2, SP2 for Itanium-based Systems
- Windows Vista SP2 and x64 Edition SP2
- Windows Server 2008 for 32-bit Systems SP2, x64-based Systems SP2 and Itanium-based Systems SP2
- Windows 7 for 32-bit Systems SP1 and x64-based Systems SP1
- Windows Server 2008 R2 for x64-based Systems SP1 and Itanium-based Systems SP1
- Windows 8 for 32-bit Systems and x64-based Systems
- Windows 8.1 for 32-bit Systems and x64-based Systems
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT
- Windows RT 8.1
- Internet Explorer 6, 7, 8, 9, 10 and 11
Multiple vulnerabilities have been reported in Microsoft Internet Explorer which could allow a remote attacker to cause elevation of privileges, cause security bypass or allow execution of arbitrary code.
1. Privilege Elevation Vulnerabilities
Two privilege elevation vulnerabilities exist in Internet Explorer due to improper validation of permissions under specific conditions. A remote attacker could exploit this vulnerability by convincing the user to view a specially crafted website. Successful exploitation of this vulnerability could allow the attacker to run arbitrary code with elevated privileges.
Also, this vulnerability in conjunction with other vulnerabilities could lead to further attacks.
2. ASLR Security Bypass Vulnerability
A security bypass vulnerability exists in Internet Explorer due to non usage of the Address Space Layout Randomization (ASLR) security feature. A remote attacker could exploit this vulnerability by predicting memory offsets of specific instructions in a given call stack to bypass the ASLR security feature.
This vulnerability in conjunction with other vulnerabilities could lead to further attacks.
3. Multiple Remote Code Execution Vulnerabilities
Multiple remote code execution vulnerabilities exist in Microsoft Internet Explorer due to improper accessing of objects in the memory. A remote attacker could exploit these vulnerabilities by enticing the targeted user to visit a malicious website through Internet Explorer which could result in memory corruption of the targeted system. Successful exploitation of the vulnerabilities could lead to execution of an arbitrary code in the context of the current user.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003