U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Security

Microsoft issues the patch for the debated IE critical vulnerabilities

Microsoft has announced the official patch for the critical vulnerability discovered recently in the Internet Explorer. Microsoft has published the “Microsoft Security Bulletin Advance Notification for June 2014” in which are released seven security Bulletins addressing different vulnerabilities in the company’s products. The notification includes two critical Remote Code Execution vulnerabilities affecting the products Microsoft Windows, Internet Explorer, MS […]

January 2018 CVE-2018-0986Patch Tuesday

Microsoft has announced the official patch for the critical vulnerability discovered recently in the Internet Explorer.

Microsoft has published the “Microsoft Security Bulletin Advance Notification for June 2014” in which are released seven security Bulletins addressing different vulnerabilities in the company’s products.

The notification includes two critical Remote Code Execution vulnerabilities affecting the products Microsoft Windows, Internet Explorer, MS Office and Lync, the remaining flaw are classified as “Important”.

Microsoft announced that the update will be released this Tuesday, my readers remember that the critical vulnerability in the Internet Explored was disclosed in May and raised numerous controversy within the IT community. According many sources, Microsoft had kept hidden the flaw since October 2013, this means that in this period users were exposed to the cyber threats able to exploit the flaw in the popular browser.

The curious thing is that after six months of silence of Microsoft, probably attributable to a difficulty to fix the bug, the company has completed the development of a patch in just 3 weeks (more or less).

As suggested by Microsoft the critical Bulletins (ID 1 and ID2) must be immediately fixed, the first one will address a the Remote Code Execution vulnerability affecting all versions of Internet Explorer.

 

Microsoft Security Advisor vulnerablity

 

The vulnerability reported in the Bulletin 1 is considered the most critical vulnerability, all server versions of Windows are affected by this vulnerability, but with a low severity rate.

 As reported by Mitre the vulnerability CVE-2014-1770 in Microsoft Internet Explorer 8 “allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.” 

The vulnerability in Microsoft Internet Explorer 8 is a remote code execution and could allow an attacker to remotely execute arbitrary code through a bug in CMarkup objects as explained on ZDI (Zero Day Initiative). ZDI has reported the flaw to Microsoft on 10/11/2013 but the company confirmed reproduction only on 02/10/2014, but it hasn’t issued any patch neither it has informed its customers.

In a typical attack scenario, a hacker just have to deploy a malicious content on a compromised websites and persuade victims to visit it, for example though a spear phishing attack.

According disclosure policy, after 180 days from notification of the flaw ZDI obliges it to publicly disclose the details of a flaw. Microsoft, despite was informed many times of the disclosure policy by ZDI didn’t respond to it.

Also the second Bulletin is related to a critical Remote Code Execution vulnerabilities in Windows and Office products affecting all versions of Windows including Server Core, Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, excluding the Lync Server.

Pierluigi Paganini

(Security Affairs –  Microsoft, remote code execution vulnerability)