NEW YORK: IBM’s X-Force has uncovered a flaw that has gone unpatched for at least 19 years. The good news is Microsoft has issued a patch for CVE-2014-6332 to tackle 19 years old flaw Big Blue researcher Robert Freeman called it a “significant data manipulation vulnerability that impacts every version of Microsoft Windows from Windows 95 onward.
But the bad news is hackers have had the ability to exploit it remotely since the days of Internet Explorer 3. Freeman described the complex vulnerability as a “rare, unicorn-like bug” that’s found in code on which IE relies but to which it doesn’t necessarily belong.
“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” Freeman said in his report.
Just because Microsoft patched it doesn’t mean it’s not worth exploring. There are lessons to be learned in the wake of any bug that went undetected for the better part of two decades. In some respects, the vulnerability has been “sitting in plain sight” for a long time even as many other bugs in the same Windows library were discovered and patch, Freeman said.
But here’s the scarier part: This revelation indicates there may be other bugs still to be discovered that relate closer to arbitrary data manipulation than more conventional vulnerabilities such as buffer overflows and use-after-free issues, according to Freeman.
“These data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution,” he explained. “In fact, there may be multiple exploitation techniques that lead to possible remote code execution, as is the case with this particular bug. Typically, attackers use remote code execution to install malware, which may have any number of malicious actions, such as key logging, screen-grabbing and remote access.”
We caught up with Brandon Edwards, Vice President of Silver Sky Labs for network security firm Silver Sky, to get his thoughts on the zero-day flaw. He told us that VBScript contains the bug being exploited and it appears to allow memory tampering through VBScript arrays. That ultimately changes the values in memory related to permissions granting it permissions to allow the VBScript to execute commands, he said.
“However, this does not appear to bypass the ‘Protected Mode’ included with modern versions of IE, which is basically a sandbox-like-thing to prevent IE from unobstructed system access,” Edwards said. “Still, it completes the first step in gaining system control most IE attacks have to ship with two exploits now, one to get initial access, and one to bust out of Protected Mode.”
In a huge Patch Tuesday, Microsoft released 14 security updates to fix 33 vulnerabilities in its software products. Four of those updates are rated “critical,” nine are rated “important” and two are rated “moderate.”
The vulnerabilities span Microsoft Windows, Internet Explorer, Office, .NET Framework, Internet Information Services, Remote Desktop Protocol, Active Directory Federation Services, Input Method Editor (Japanese), and Kernel Mode Driver