Friday, May 23, 2014

New IE 0-day details released

Hewlett Packard's Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code. The bug was discovered by Peter 'corelanc0d3r' Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days. "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer," according to ZDI's advisory. "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CMarkup objects," ZDI continues. <more>

No comments: