SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer Multiple Flaws Let Remote Users Execute Arbitrary Code, Bypass XSS Filters, and Bypass ASLR Security Protections Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031315
SecurityTracker URL:  http://securitytracker.com/id/1031315
CVE Reference:   CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966   (Links to External Site)
Updated:  Apr 16 2015
Original Entry Date:  Dec 9 2014
Impact:   Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6, 7, 8, 9, 10, 11
Description:   Multiple vulnerabilities were reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass cross-site scripting filters. A remote user can bypass ASLR protections.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2014-6327, CVE-2014-6329, CVE-2014-6330, CVE-2014-6366, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966]. The code will run with the privileges of the target user.

A remote user can bypass cross-site scripting (XSS) filters [CVE-2014-6328, CVE-2014-6365].

A remote user can bypass the Address Space Layout Randomization (ASLR) security feature [CVE-2014-6368].

A remote user can create specially crafted HTML that, when loaded by the target user via Microsoft Internet Explorer, will trigger an object memory handling error and execute arbitrary code on the target system [CVE-2014-6363; See also Alert ID 1031313, MS14-084].


Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass cross-site scripting (XSS) filters.

A remote user can bypass the Address Space Layout Randomization (ASLR) security feature.

Solution:   The vendor has issued a fix.


[Editor's note: On January 13, 2015, Microsoft re-released MS14-080 to advise that, due to issues with the 3008923 security update, users of IE 11 on either Windows 7 or Windows Server 2008 R2 should also install the 3038314 security update released on April 14, 2015 as part of Bulletin MS15-032.]

A patch matrix is available in the vendor's advisory.

The Microsoft advisory is available at:

https://technet.microsoft.com/library/security/ms14-080

Vendor URL:  technet.microsoft.com/library/security/ms14-080 (Links to External Site)
Cause:   Access control error, Input validation error, Randomization error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC