Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New, Unpatched IE 0 Day published at ZDI - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New, Unpatched IE 0 Day published at ZDI

The Zero Day Initiative has published a new and unpatched IE 0-Day that was originally reported to them (and by extension, Microsoft) in October 2013.  In essence, a victim has to go to a crafted webpage that takes advantage of handling of CMarkup objects which ultimately can be used to execute code with the permissions of the web browser process.  Microsoft says the EMET will mitigate this vulnerability and at least Tipping Point claims protection with their devices.  At this point, there is no indication that it is being used in the wild.  The interesting thing here is the timeline between initial report and there being no patch.

This diary will be updated as the situation warrants.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

John

248 Posts
ISC Handler
What this shows is.... responsible disclosure still doesn't work, especially with Microsoft and Internet Explorer. If responsible disclosure hadn't failed miserably, then this wouldn't be a zero day.

Their reputation precedes them: I am afraid little has changed since the Windows 2000/IE5 days. Never heard of a Firefox or Chrome vulnerability that was reported and the vendor chose to leave unaddressed so long....
Mysid

146 Posts
That means Microsoft have sat on this for 7 months with no action!?
amilroy

9 Posts
Why isn't the recommendation to upgrade to a new version of IE?

Also, I can't find enough technical information to home grow a signature to detect it. Does anybody have any detailed links?
Jasey

93 Posts
Quoting Jasey:Why isn't the recommendation to upgrade to a new version of IE?

Because for millions of lingering XP users, that would be tantamount to a recommendation to upgrade to a new version of Windows. IE8 is the last version available for Windows XP.

Mind you, getting off XP isn't itself a bad recommendation...
jjjdavidson

5 Posts

Sign Up for Free or Log In to start participating in the conversation!