Vulnerabilities > CVE-2014-1770 - Resource Management Errors vulnerability in Microsoft Internet Explorer
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035). CVE-2014-0282,CVE-2014-1762,CVE-2014-1764,CVE-2014-1766,... |
| id | EDB-ID:34010 |
| last seen | 2016-02-03 |
| modified | 2014-07-08 |
| published | 2014-07-08 |
| reporter | Drozdova Liudmila |
| source | https://www.exploit-db.com/download/34010/ |
| title | Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC MS14-035 |
Msbulletin
| bulletin_id | MS14-035 |
| bulletin_url | |
| date | 2014-06-10T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2969262 |
| knowledgebase_url | |
| severity | Critical |
| title | Cumulative Security Update for Internet Explorer |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-035.NASL description The remote host is missing Internet Explorer (IE) Security Update 2969262. The version of Internet Explorer installed on the remote host is affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An attacker could exploit these vulnerabilities by convincing a user to visit a specially crafted web page. last seen 2020-06-01 modified 2020-06-02 plugin id 74427 published 2014-06-11 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74427 title MS14-035: Cumulative Security Update for Internet Explorer (2969262) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(74427); script_version("1.22"); script_cvs_date("Date: 2019/11/26"); script_cve_id( "CVE-2014-0282", "CVE-2014-1762", "CVE-2014-1764", "CVE-2014-1766", "CVE-2014-1769", "CVE-2014-1770", "CVE-2014-1771", "CVE-2014-1772", "CVE-2014-1773", "CVE-2014-1774", "CVE-2014-1775", "CVE-2014-1777", "CVE-2014-1778", "CVE-2014-1779", "CVE-2014-1780", "CVE-2014-1781", "CVE-2014-1782", "CVE-2014-1783", "CVE-2014-1784", "CVE-2014-1785", "CVE-2014-1786", "CVE-2014-1788", "CVE-2014-1789", "CVE-2014-1790", "CVE-2014-1791", "CVE-2014-1792", "CVE-2014-1794", "CVE-2014-1795", "CVE-2014-1796", "CVE-2014-1797", "CVE-2014-1799", "CVE-2014-1800", "CVE-2014-1802", "CVE-2014-1803", "CVE-2014-1804", "CVE-2014-1805", "CVE-2014-2753", "CVE-2014-2754", "CVE-2014-2755", "CVE-2014-2756", "CVE-2014-2757", "CVE-2014-2758", "CVE-2014-2759", "CVE-2014-2760", "CVE-2014-2761", "CVE-2014-2763", "CVE-2014-2764", "CVE-2014-2765", "CVE-2014-2766", "CVE-2014-2767", "CVE-2014-2768", "CVE-2014-2769", "CVE-2014-2770", "CVE-2014-2771", "CVE-2014-2772", "CVE-2014-2773", "CVE-2014-2775", "CVE-2014-2776", "CVE-2014-2777", "CVE-2014-2782" ); script_bugtraq_id( 67295, 67511, 67518, 67544, 67827, 67831, 67833, 67834, 67835, 67836, 67838, 67839, 67840, 67841, 67842, 67843, 67845, 67846, 67847, 67848, 67849, 67850, 67851, 67852, 67854, 67855, 67856, 67857, 67858, 67859, 67860, 67861, 67862, 67864, 67866, 67867, 67869, 67871, 67873, 67874, 67875, 67876, 67877, 67878, 67879, 67880, 67881, 67882, 67883, 67884, 67885, 67886, 67887, 67889, 67890, 67891, 67892, 67915, 68101 ); script_xref(name:"CERT", value:"239151"); script_xref(name:"EDB-ID", value:"33860"); script_xref(name:"EDB-ID", value:"35213"); script_xref(name:"MSFT", value:"MS14-035"); script_xref(name:"MSKB", value:"2957689"); script_xref(name:"MSKB", value:"2963950"); script_name(english:"MS14-035: Cumulative Security Update for Internet Explorer (2969262)"); script_summary(english:"Checks version of Mshtml.dll."); script_set_attribute(attribute:"synopsis", value: "The remote host has a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2969262. The version of Internet Explorer installed on the remote host is affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An attacker could exploit these vulnerabilities by convincing a user to visit a specially crafted web page."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-035"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/532798/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/532799/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-194/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-193/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-192/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-191/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-190/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-189/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-188/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-187/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-186/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-185/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-184/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-183/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-182/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-181/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-180/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-179/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-178/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-177/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-176/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-175/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-174/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-140/"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Internet Explorer 6, 7, 8, 9, 10, and 11."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1764"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/21"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-035'; kb = '2957689'; kbs = make_list(kb, '2963950'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / 2012 R2 # # - Internet Explorer 11 with KB2919355 applied hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.17126", min_version:"11.0.9600.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 11 without KB2919355 applied hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.16668", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:'2963950') || # Windows 8 / 2012 # # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.21044", min_version:"10.0.9200.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.16921", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 7 / 2008 R2 # - Internet Explorer 11 with KB2929437 applied hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.17126", min_version:"11.0.9600.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 11 without KB2929437 applied hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.16668", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:'2963950') || # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.21044", min_version:"10.0.9200.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.16921", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20666", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16555", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22686", min_version:"8.0.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18472", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20666", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16555", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23598", min_version:"8.0.6001.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19539", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23389", min_version:"7.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.19098", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23598", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21389", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5341", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_IE_CVE_2014_1770.NASL description The remote host has a version of Microsoft Internet Explorer installed that is affected by a use-after-free remote code execution vulnerability related to the handling of CMarkup objects. last seen 2017-10-29 modified 2014-06-12 plugin id 74138 published 2014-05-22 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=74138 title Microsoft Internet Explorer 8 CMarkup Use-After-Free Remote Code Execution code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # Disabled on 2014/06/12. Deprecated by smb_nt_ms14-035.nasl # # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(74138); script_version("1.6"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2014-1770"); script_bugtraq_id(67544); script_xref(name:"CERT", value:"239151"); script_name(english:"Microsoft Internet Explorer 8 CMarkup Use-After-Free Remote Code Execution"); script_summary(english:"Checks for workaround."); script_set_attribute(attribute:"synopsis", value: "The remote host has a version of Internet Explorer installed that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote host has a version of Microsoft Internet Explorer installed that is affected by a use-after-free remote code execution vulnerability related to the handling of CMarkup objects."); script_set_attribute(attribute:"see_also", value:"http://zerodayinitiative.com/advisories/ZDI-14-140/"); # https://www.corelan.be/index.php/2014/05/22/on-cve-2014-1770-zdi-14-140-internet-explorer-8-0day/ script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b062019d"); script_set_attribute(attribute:"solution", value:"Apply the workarounds mentioned in the CERT and ZDI advisories."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe",value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl", "microsoft_ie_esc_detect.nbin"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion", "SMB/IE/Version"); script_require_ports(139, 445); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Use plugin #74427 (smb_nt_ms14-035.nasl) instead."); include('audit.inc'); include('global_settings.inc'); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); # if IE ESC is enabled for all users, the remote host is not vulnerable if(get_kb_item("SMB/IE_ESC/User_Groups_Enabled")) exit(0, "IE Enhanced Security Configuration is enabled for all users on the remote host."); # Only IE 8 affected version = get_kb_item_or_exit("SMB/IE/Version"); v = split(version, sep:".", keep:FALSE); if (int(v[0]) != 8) audit(AUDIT_INST_VER_NOT_VULN, "IE", version); registry_init(); emet_info = ''; emet_installed = FALSE; emet_with_ie = FALSE; if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; # Check if EMET is configured with IE. # The workaround does not specifically ask to enable DEP # but if IE is configured with EMET, dep is enabled by default. emet_list = get_kb_list("SMB/Microsoft/EMET/*"); if (!isnull(emet_list)) { foreach entry (keys(emet_list)) { if ("iexplore.exe" >< entry && "/dep" >< entry) { dep = get_kb_item(entry); if (!isnull(dep) && dep == 1) emet_with_ie = TRUE; } } } if (!emet_installed) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' + '\n installed.'; } else if (emet_installed) { if (!emet_with_ie) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' + '\n installed, however Internet Explorer is not configured with EMET.'; } } info_user_settings = ''; # check mitigation per user hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE); subkeys = get_registry_subkeys(handle:hku, key:''); if(!isnull(subkeys)) { foreach key (subkeys) { if ('.DEFAULT' >< key || 'Classes' >< key || key =~ "^S-1-5-\d{2}$") # skip built-in accounts continue; mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); if (isnull(value) && isnull(value1)) continue; # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 || value == 3) && (value1 == 1 || value1 == 3)) mitigation = TRUE; if (!mitigation) info_user_settings += '\n ' + key + ' (Active Scripting Enabled)'; } } RegCloseKey(handle:hku); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # check if user settings have been overridden by what is in HKLM # note: Security_HKLM_only can be set by group policy value = get_registry_value(handle:hklm, item:'SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only'); if (info_user_settings != '' && !isnull(value) && value == 1) { mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 || value == 3) && (value1 == 1 || value1 == 3)) mitigation = TRUE; if (mitigation) info_user_settings = ''; } RegCloseKey(handle:hklm); close_registry(); if (info_user_settings != '') { port = kb_smb_transport(); if (report_verbosity > 0) { if (emet_info != '') report = '\n The following users have vulnerable IE settings :' + info_user_settings + '\n' + emet_info + '\n'; else report = '\n The following users have vulnerable IE settings :' + info_user_settings + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, "The host is not affected since a workaround has been applied.");
The Hacker News
id THN:1ECCECD7B752928854F7EB0476C0FE03 last seen 2018-01-27 modified 2014-05-21 published 2014-05-21 reporter Mohit Kumar source https://thehackernews.com/2014/05/internet-explorer-zero-day.html title New Internet Explorer Zero-Day Vulnerability Publicly Disclosed; Identified in October 2013 id THN:B20DD3A3550912B29ABFF91D6D9089B2 last seen 2018-01-27 modified 2014-05-22 published 2014-05-21 reporter Mohit Kumar source https://thehackernews.com/2014/05/microsoft-outlook-app-for-android.html title Microsoft Outlook App for Android Devices Stores Emails Unencrypted on File System id THN:A20366B2503D45E62DB7902F938428FF last seen 2018-01-27 modified 2014-06-06 published 2014-06-05 reporter Wang Wei source https://thehackernews.com/2014/06/microsoft-to-patch-critical-internet.html title Microsoft to Patch Critical Internet Explorer Zero-Day Vulnerability Next Tuesday
References
- http://www.kb.cert.org/vuls/id/239151
- http://www.securityfocus.com/bid/67544
- http://www.securitytracker.com/id/1030266
- http://zerodayinitiative.com/advisories/ZDI-14-140/
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-035
- https://www.corelan.be/index.php/2014/05/22/on-cve-2014-1770-zdi-14-140-internet-explorer-8-0day/