Hacking Team leak reveals zero-day IE 11 bug

Posted on Posted in Hacker News
Security company Vectra Networks has detected a zero-day vulnerability affecting Microsoft’s Internet Explorer (IE) 11, after scanning through the huge cache of data logs leaked from Hacking Team.

The Vectra Networks team found the previously unknown IE 11 vulnerability after discovering an email log from a third party attempting to sell off a ‘proof-of-concept’ exploit. 

The email, sent on 2 June, described a newly discovered bug that crashed IE 11. The bug affects a fully patched IE 11 on Windows 7 and Windows 8.1, Vectra advised.

Wade Williamson, director of product marketing at Vectra, explained to V3 that this was only one of many critical bugs found. However, he confirmed that the latest Patch Tuesday rollout from Microsoft has fixed the problem. Vectra notified Microsoft of the bug on 9 July.

The team at Vectra is continuing to work through the leaked Hacking Team data logs to find other potential bugs.

Microsoft also continued to roll out fixes for Adobe Flash with its latest Patch Tuesday release, with CVE-2015-5122 and CVE-2015-5123 specifically being targeted as zero-day vulnerabilities in the software.

Meanwhile, security experts at Trend Micro have advised users to uninstall Adobe Flash.

“The Hacking Team data has been available to the public (and attackers) for just over a week, which means it is readily available to attackers,” they said.

The security company also said that users running IE 11 should update to a patched version immediately, in light of the zero-day threat.

A number of critical zero-day vulnerabilities were the focus of major fixes during this Patch Tuesday. Microsoft released 14 security fixes, including several for Windows and IE.

Four of the fixes in the Microsoft July 2015 Patch Tuesday update are marked ‘critical’ and resolve gaps that are currently open to exploitation by hackers.

One of the most notable fixes is the MS15-065 bulletin that patches a flaw that could allow remote code execution if a user visits a specially crafted website using IE, and affects all versions from IE 6 to 11.

“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” explained the advisory.

Meanwhile MS15-066 fixes vulnerabilities in the VBScript scripting engine and affects Windows 2003, Vista and Server 2008.

Another critical patch, MS15-067, contains an array of fixes for Windows, including a vulnerability in Remote Desktop Protocol that could result in remote code execution.

Craig Young, a security researcher at Tripwire, stressed the importance of the MS15-067 fix.

“This should definitely be on the top of everyone’s install list. Although Microsoft says that code execution is tricky, there are a lot of smart people out there and I’m sure it won’t be long before proof-of-concept code starts floating around,” he said.

The last critical update, MS15-068, is for Windows versions 8 and 8.1 and versions of Windows Server 2008 and later. It patches a gap in Hyper-V that could allow remote code execution.

“An attacker must have valid log-on credentials for a guest virtual machine to exploit this vulnerability,” said Microsoft.

The remaining 10 patches are all marked ‘important’ and fix gaps in Windows, SQL Server and Microsoft Office.

Dustin Childs, information security expert at HP, confirmed that three of the flaws are actively being exploited.

Quelle: V3.co.uk