Vulnerability

CERT-In Vulnerability Note CIVN-2014-0225
Multiple Vulnerabilities in Microsoft Internet Explorer

Original Issue Date:October 15, 2014

Severity Rating: HIGH

Systems Affected

Windows Server 2003 SP2, x64 Edition SP2, SP2 for Itanium-based Systems
Windows Vista SP2 and x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2, x64-based Systems SP2 and Itanium-based Systems SP2
Windows 7 for 32-bit Systems SP1 and x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems SP1 and Itanium-based Systems SP1
Windows 8 for 32-bit Systems and x64-based Systems
Windows 8.1 for 32-bit Systems and x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1

Component Affected

Internet Explorer 6, 7, 8, 9, 10 and 11

Overview

Multiple vulnerabilities have been reported in Microsoft Internet Explorer which could allow a remote attacker to cause elevation of privileges, cause security bypass or allow execution of arbitrary code.

Description

1. Privilege Elevation Vulnerabilities ( CVE-2014-4123   CVE-2014-4124   )

Two privilege elevation vulnerabilities exist in Internet Explorer due to improper validation of permissions under specific conditions. A remote attacker could exploit this vulnerability by convincing the user to view a specially crafted website. Successful exploitation of this vulnerability could allow the attacker to run arbitrary code with elevated privileges.
Also, this vulnerability in conjunction with other vulnerabilities could lead to further attacks.

2. ASLR Security Bypass Vulnerability ( CVE-2014-4140   )

A security bypass vulnerability exists in Internet Explorer due to non usage of the Address Space Layout Randomization (ASLR) security feature. A remote attacker could exploit this vulnerability by predicting memory offsets of specific instructions in a given call stack to bypass the ASLR security feature.
This vulnerability in conjunction with other vulnerabilities could lead to further attacks.

3. Multiple Remote Code Execution Vulnerabilities ( CVE-2014-4126   CVE-2014-4127   CVE-2014-4128   CVE-2014-4129   CVE-2014-4130   CVE-2014-4132   CVE-2014-4133   CVE-2014-4134   CVE-2014-4137   CVE-2014-4138   CVE-2014-4141   )

Multiple remote code execution vulnerabilities exist in Microsoft Internet Explorer due to improper accessing of objects in the memory. A remote attacker could exploit these vulnerabilities by enticing the targeted user to visit a malicious website through Internet Explorer which could result in memory corruption of the targeted system. Successful exploitation of the vulnerabilities could lead to execution of an arbitrary code in the context of the current user.

Workaround

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS14-056.

Vendor Information

Microsoft
https://technet.microsoft.com/library/security/ms14-056

References

Microsoft
https://technet.microsoft.com/library/security/ms14-056

Security Tracker
http://www.securitytracker.com/id/1031018

CVE Name
CVE-2014-4123
CVE-2014-4124
CVE-2014-4140
CVE-2014-4126
CVE-2014-4127
CVE-2014-4128
CVE-2014-4129
CVE-2014-4130
CVE-2014-4132
CVE-2014-4133
CVE-2014-4134
CVE-2014-4137
CVE-2014-4138
CVE-2014-4141

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India