Vulnerability

CERT-In Vulnerability Note CIVN-2014-0275
Multiple Vulnerabilities in Microsoft Internet Explorer

Original Issue Date:December 10, 2014

Severity Rating: HIGH

Systems Affected

Windows Server 2003 SP2, x64 Edition SP2, SP2 for Itanium-based Systems
Windows Vista SP2 and x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2, x64-based Systems SP2, Itanium-based Systems SP2
Windows 7 for 32-bit SP1 and x64-based Systems SP1
Windows Server 2008 R2 for x64-based SP1 and Itanium-based Systems SP1
Windows 8 for 32-bit Systems and x64-based Systems
Windows 8.1 for 32-bit Systems and x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1

Component Affected

Internet Explorer 6, 7, 8, 9, 10 and 11

Overview

Multiple vulnerabilities have been reported in Microsoft Internet Explorer which could allow a remote attacker to bypass security restriction or execute arbitrary code.

Description

1. Memory Corruption Vulnerabilities ( CVE-2014-6327   CVE-2014-6329   CVE-2014-6330   CVE-2014-6366   CVE-2014-6369   CVE-2014-6373   CVE-2014-6374   CVE-2014-6375   CVE-2014-6376   CVE-2014-8966   )

Multiple vulnerabilities exist in Internet Explorer due to improper accessing of objects in memory. A remote attacker could exploit these vulnerabilities by enticing the targeted user to visit a malicious website which could result in memory corruption vulnerability on the targeted system. Successful exploitation of these vulnerabilities could lead to execution of arbitrary code in the context of the logged in user.

2. XSS Filter Bypass Vulnerabilities ( CVE-2014-6328   CVE-2014-6365   )

Two vulnerabilities exist in Internet Explorer due to improper sanitization of user supplied input. A remote attacker could exploit these vulnerabilities by enticing a user to open a specially crafted content. Processing of the document could cause disabling of HTML attributes by the XSS filter leading to execution of the malicious script in the wrong security context. Successful exploitation of these vulnerabilities could allow the attacker to gain sensitive browser related information.

3. ASLR Security Bypass Vulnerability ( CVE-2014-6368   )

A vulnerability exists in Internet Explore due to non-usage of the Address Space Layout Randomization (ASLR) security feature. A remote attacker could exploit this vulnerability by predicting memory offsets of specific instructions in a given call stack to bypass ASLR security feature. This vulnerability in conjunction with other vulnerabilities could lead to further attacks.

4. VBScript Memory Corruption Vulnerability ( CVE-2014-6363   )

This vulnerability exists in Microsoft VBScript Engine in Internet Explorer due to improper handling of objects in the memory. A remote attacker could exploit this vulnerability by enticing the targeted user to visit a malicious website resulting in memory corruption. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code in the context of the logged in user.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS14-080

Vendor Information

Microsoft
https://technet.microsoft.com/en-us/library/security/ms14-080

References

CVE Name
CVE-2014-6327
CVE-2014-6329
CVE-2014-6330
CVE-2014-6366
CVE-2014-6369
CVE-2014-6373
CVE-2014-6374
CVE-2014-6375
CVE-2014-6376
CVE-2014-8966
CVE-2014-6328
CVE-2014-6365
CVE-2014-6368
CVE-2014-6363

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India