Posts

Microsoft IE Vulnerability (CVE-2014-1815) attacks spotted in the Wild (September 05, 2014)

The CVE-2014-1815 vulnerability exploit is spotted in the wild. Following is the detailed analysis:

The attacker entices the user to visit the specially crafted webpage. If the user has an older un-patched version of Internet Explorer, the attacker is able to execute code in user’s context and also crash IE.

The crash code looks like

The jscript is trying to access the freed marquee object. This leads to use after free condition which causes internet explorer to crash. The attacker is able to control the memory location EAX+70h

Data at memory address in ECX

Stack trace looks like

The attacker is able to download/execute suspicious file storm.swf under the user’s security context.

Dell Sonicwall Threat research team has implement following signature to prevent this attack

  • IPS 3869: Internet Explorer Memory Corruption Vulnerability (MS14-029) 2
  • Microsoft Security Bulletin Coverage (May 13, 2014)

    Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

    MS14-021 Security Update for Internet Explorer (2965111)

    • CVE-2014-1776 Internet Explorer Memory Corruption Vulnerability
      IPS: 3787 “Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)”
      SPY: 3371 “Malformed-File html.MP.6”
      SPY: 3372 “Malformed-File html.MP.7”
      SPY: 3367 “Malformed-File swf.OT.9”
      SPY: 2290 “Malformed-File swf.OT.8”
      GAV: 23155 “CVE-2014-1776”

    MS14-029 Security Update for Internet Explorer (2962482)

    • CVE-2014-1815 Internet Explorer Memory Corruption Vulnerability
      IPS: 3869 “Windows IE Memory Corruption Vulnerability (MS14-029) 2”
      CVE-2014-0310 Internet Explorer Memory Corruption Vulnerability
      IPS: 3867 “Windows IE Memory Corruption Vulnerability (MS14-029) 1”

    MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)

    • CVE-2014-0251 SharePoint Page Content Vulnerability
      There are no known exploits in the wild.
    • CVE-2014-1754 SharePoint XSS Vulnerability
      IPS: 3868 “Microsoft SharePoint Server XSS 11 (MS14-022)”
      IPS: 1369 “Cross-Site Scripting (XSS) Attack 1”
      IPS: 6753 “Cross-Site Scripting (XSS) Attack 8”
    • CVE-2014-1813 Web Applications Page Content Vulnerability
      There are no known exploits in the wild.

    MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)

    • CVE-2014-1756 Microsoft Office Chinese Grammar Checking Vulnerability
      There are no known exploits in the wild.
    • CVE-2014-1808 Token Reuse Vulnerability
      There are no known exploits in the wild.

    MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)

    • CVE-2014-1812 Group Policy Preferences Password Elevation of Privilege Vulnerability
      There are no known exploits in the wild.

    MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)

    • CVE-2014-1806 TypeFilterLevel Vulnerability
      There are no known exploits in the wild.

    MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)

    • CVE-2014-1807 Windows Shell File Association Vulnerability
      There are no known exploits in the wild.

    MS14-028 Vulnerabilities in iSCSI Could Allow Denial of Service (2962485)

    • CVE-2014-0255 iSCSI Target Remote Denial of Service Vulnerability
      There are no known exploits in the wild.
    • CVE-2014-0256 iSCSI Target Remote Denial of Service Vulnerability
      There are no known exploits in the wild.

    MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)

    • CVE-2014-1809 MSCOMCTL ASLR Vulnerability
      There are no known exploits in the wild.