In its latest Patch Tuesday, Microsoft fixed a critical vulnerability that has existed since Windows 95 and affects Internet Explorer 3 all the way up to Internet Explorer 11. The bug, which comes from an old Windows library, could allow an attacker to remotely compromise a computer via a drive-by download attack.
The flaw was originally discovered by researchers at IBM X-Force in May 2014, and has been assigned CVE-2014-6332 with a CVSS score (severity index) of 9.3. Not only is the scope of this vulnerability extremely wide, but it is also capable of “sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool” according to Robert Freeman, Manager, IBM X-Force Research.
The attack is made possible by leveraging a flaw in Visual Basic Script (VBScript), an Active Scripting language introduced in Internet Explorer 3.
By passing arbitrary data to an array and then shrinking it within the IE VBScript engine, a failure code can be triggered but yet the array remains unchanged. This allows to use out of bounds elements to directly read or write to the memory.
A proof of concept was quickly tweeted by a Chinese researcher where he pwned IE11 in the Windows 10 Technical Preview edition. He was able to pop Notepad by simply browsing to a webpage containing the exploit code:
Obviously, Notepad is a legitimate program but it could be replaced with anything and especially malware once the bad guys add this new weapon to their arsenal.
While at the moment there is no documented use of this exploit in the wild, this should only be a matter of time. A metasploit module has been published and given the extent of affected operating systems this makes exploiting the vulnerability a very attractive proposition.
It is worth noting that Microsoft has offered a patch for its currently supported operating systems, but not for Windows XP and of course any of its precursors.
It is quite hard to believe that such a critical flaw has existed and survived for so many years considering the natural evolution in software development. The fact that Internet Explorer still supports VBScript to ensure backward compatibility is certainly part of the problem.
However, if we consider this page, Microsoft is moving away from VBScript:
As of Internet Explorer 11, VBScript is considered deprecated and should no longer be used as a scripting language for IE11. Webpages displayed in IE11 edge mode won’t execute VBScript code.
Because VBScript is no longer supported for IE11 edge mode, the following API features are no longer available to webpages: The execScript function. The VBArray object. The “text/vbs” and “text/vbscript” MIME types (as supported type values for script elements).
According to the researchers at IBM X-Force, we might see more bugs that relate to arbitrary data manipulation like this one, as opposed to buffer overflows and user-after-free vulnerabilities.
Knowing that this flaw had existed for almost two decades is a little disconcerting and shows that system updates are not a panacea. Security solutions that provide exploit mitigation techniques that aren’t based on signatures can bridge the gap between a patched system and a protected system.
We will keep our eyes peeled and notify you when this vulnerability is added to mainstream exploit kits. Given the range of affected software and operating systems, this would make it a very deadly exploit. If you haven’t already, please patch your systems immediately by running Windows updates!