SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer Multiple Flaws Let Remote Users Execute Arbitrary Code, Bypass XSS Filters, and Bypass ASLR Security Protections Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031315
SecurityTracker URL:  http://securitytracker.com/id/1031315
CVE Reference:   CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966   (Links to External Site)
Updated:  Apr 16 2015
Original Entry Date:  Dec 9 2014
Impact:   Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6, 7, 8, 9, 10, 11
Description:   Multiple vulnerabilities were reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass cross-site scripting filters. A remote user can bypass ASLR protections.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2014-6327, CVE-2014-6329, CVE-2014-6330, CVE-2014-6366, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966]. The code will run with the privileges of the target user.

A remote user can bypass cross-site scripting (XSS) filters [CVE-2014-6328, CVE-2014-6365].

A remote user can bypass the Address Space Layout Randomization (ASLR) security feature [CVE-2014-6368].

A remote user can create specially crafted HTML that, when loaded by the target user via Microsoft Internet Explorer, will trigger an object memory handling error and execute arbitrary code on the target system [CVE-2014-6363; See also Alert ID 1031313, MS14-084].

Garage4Hackers (via HP's Zero Day Initiative), Takeshi Terada, a Qihoo researcher, SkyLined (via VeriSign iDefense Labs), Dieyu (@theskyname), Liu Long of Qihoo 360, Jack Tang, Donghai Zhu, SkyLined (via HP's†Zero Day Initiative), Sky (via HP's†Zero Day Initiative), and Jihui Lu of KeenTeam (@K33nTeam) reported these vulnerabilities.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass cross-site scripting (XSS) filters.

A remote user can bypass the Address Space Layout Randomization (ASLR) security feature.

Solution:   The vendor has issued a fix.

[Editorís note: On January 13, 2015, Microsoft re-released MS14-080 to correct issues with Security Update 3008923 for CVE-2014-6363. Users that have already installed the 3008923 update do not need to reinstall. Users running IE 10 on Windows 8, Windows Server 2012, or Window RT should also install the newly added update 3029449.]

[Editor's note: On January 13, 2015, Microsoft re-released MS14-080 to advise that, due to issues with the 3008923 security update, users of IE 11 on either Windows 7 or Windows Server 2008 R2 should also install the 3038314 security update released on April 14, 2015 as part of Bulletin MS15-032.]

A patch matrix is available in the vendor's advisory.

The Microsoft advisory is available at:

https://technet.microsoft.com/library/security/ms14-080

Vendor URL:  technet.microsoft.com/library/security/ms14-080 (Links to External Site)
Cause:   Access control error, Input validation error, Randomization error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC