Unpatched IE Zero-Day Exploit Allows Hackers to Run Rogue Code

HP's (HPQ's) Zero Day Initiative (ZDI) has released details about a new Microsoft (MSFT) Internet Explorer security vulnerability.

Dan Kobialka, Contributing writer

May 23, 2014

2 Min Read
Zero Day Initiative ZDI has released details about a new Microsoft MSFT Internet Explorer security vulnerability
Zero Day Initiative (ZDI) has released details about a new Microsoft (MSFT) Internet Explorer security vulnerability.

HP‘s (HPQ’s) Zero Day Initiative (ZDI), a program that rewards security researchers for responsibly disclosing vulnerabilities, this week released details about a new Microsoft (MSFT) Internet Explorer (IE) flaw.

Microsoft was told about the zero-day vulnerability in October, ZDI said. The IE exploit is the second of its kind reported in less than a month.

The new vulnerability affects IE 8 users and allows remote attackers to execute arbitrary code on affected versions of the web browser.

ZDI described the vulnerability’s impact on IE 8 users in a security advisory:

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit [vulnerabilities] through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.”

An attacker who successfully exploited the IE vulnerability could gain the same user rights as the current user, ZDI said.

A Microsoft spokesperson yesterday told ZDNet the company was aware of the issue and had not detected any incidents affecting its customers.

“We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections,” the Microsoft spokesperson said.

Microsoft has yet to patch the vulnerability, but ZDI is offering the following workarounds for the time being:

  • Set Internet security zone settings to “High” to block ActiveX Controls and Active Scripting.

  • Configure IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

  • Install the Enhanced Mitigation Experience Toolkit (EMET) to manage security mitigation technologies to make it more difficult for attackers to exploit vulnerabilities.

Share your thoughts about this story in the Comments section below, via Twitter @dkobialka or email me at [email protected].

About the Author

Dan Kobialka

Contributing writer, Penton Technology

Dan Kobialka is a contributing writer for MSPmentor and Talkin' Cloud. In the past, he has produced content for numerous print and online publications, including the Boston Business Journal, Boston Herald and Patch.com. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State College (now Bridgewater State University). In his free time, Kobialka enjoys jogging, traveling, playing sports, touring breweries and watching football (Go Patriots!).  

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like