Vulnerabilities > CVE-2014-1776 - Use After Free vulnerability in Microsoft Internet Explorer
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 | |
| OS | Microsoft
| 14 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS14-021 |
| bulletin_url | |
| date | 2014-05-01T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2965111 |
| knowledgebase_url | |
| severity | Critical |
| title | Security Update for Internet Explorer |
Nessus
NASL family Windows NASL id SMB_KB2963983.NASL description The remote host is missing one of the workarounds referenced in Microsoft Security Advisory 2963983. The remote Internet Explorer install is affected by an unspecified use-after-free vulnerability related to the VML and Flash components. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application. last seen 2017-10-29 modified 2017-08-30 plugin id 73739 published 2014-04-28 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=73739 title MS KB2963983: Vulnerability in Internet Explorer Could Allow Remote Code Execution code #%NASL_MIN_LEVEL 999999 # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2014/05/01. Deprecated by smb_nt_ms14-021.nasl # include("compat.inc"); if (description) { script_id(73739); script_version("1.9"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2014-1776"); script_bugtraq_id(67075); script_xref(name:"CERT", value:"222929"); script_xref(name:"MSKB", value:"2963983"); script_name(english:"MS KB2963983: Vulnerability in Internet Explorer Could Allow Remote Code Execution"); script_summary(english:"Checks if workarounds referenced in KB article have been applied."); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is missing one of the workarounds referenced in Microsoft Security Advisory 2963983. The remote Internet Explorer install is affected by an unspecified use-after-free vulnerability related to the VML and Flash components. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application."); script_set_attribute(attribute:"see_also", value:"https://technet.microsoft.com/en-US/library/security/2963983"); # http://blogs.technet.com/b/srd/archive/2014/04/26/more-details-about-security-advisory-2963983-ie-0day.aspx script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?671b0a2a"); script_set_attribute(attribute:"solution", value: "Apply the IE settings and workarounds suggested by Microsoft in security advisory 2963983."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl", "microsoft_ie_esc_detect.nbin"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion", "SMB/IE/Version"); script_require_ports(139, 445); exit(0); } # Deprecated exit(0, "This plugin has been deprecated. Use plugin #73805 (smb_nt_ms14-021.nasl) instead."); include('audit.inc'); include('global_settings.inc'); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); ACCESS_DENIED_ACE_TYPE = 1; # # @return DACL associated with 'fh' ## function get_dacl() { local_var fh, sd, dacl; fh = _FCT_ANON_ARGS[0]; sd = GetSecurityInfo(handle:fh, level:DACL_SECURITY_INFORMATION); if (isnull(sd)) return NULL; dacl = sd[3]; if (isnull(dacl)) return NULL; dacl = parse_pdacl(blob:dacl); if (isnull(dacl)) return NULL; return dacl; } if (hotfix_check_sp_range(vista:'2', win2003:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); ie_epm_avail = FALSE; version = get_kb_item_or_exit("SMB/IE/Version"); v = split(version, sep:".", keep:FALSE); if (int(v[0]) == 11 || int(v[0]) == 10) ie_epm_avail = TRUE; # server core not affected if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); # if IE ESC is enabled for all users, the remote host is not vulnerable if(get_kb_item("SMB/IE_ESC/User_Groups_Enabled")) exit(0, "IE Enhanced Security Configuration is enabled for all users on the remote host."); registry_init(); vuln = FALSE; hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); value = get_registry_value(handle:hklm, item:"SOFTWARE\Classes\PeerDraw.PeerDraw.1\CLSID\"); RegCloseKey(handle:hklm); # this checks for vgx.dll mitigations # Microsoft suggests either unregistering the DLL or # setting a deny permission for the 'everyone' group on the file clsid = '{10072CEC-8CC1-11D1-986E-00A0C955B42E}'; if(value == clsid) { vuln = TRUE; # check permissions NetUseDel(close:FALSE); commonprogramfiles = hotfix_get_commonfilesdir(); if (isnull(commonprogramfiles)) exit(1, "Failed to determine the location of %commonprogramfiles%."); vuln_file = commonprogramfiles + "\Microsoft Shared\VGX\vgx.dll"; obj = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:vuln_file); share = hotfix_path2share(path:vuln_file); rc = NetUseAdd(share:share); if(!rc) { NetUseDel(); audit(AUDIT_SHARE_FAIL, share); } fh = CreateFile( file:obj, desired_access:STANDARD_RIGHTS_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if(isnull(fh)) { NetUseDel(); exit(1, "Unable to read permission on 'vgx.dll'."); } dacls = get_dacl(fh); CloseFile(handle:fh); ace = NULL; if(!isnull(dacls)) ace = parse_dacl(blob:dacls[0]); if(!isnull(ace)) { rights = ace[0]; type = ace[3]; sid = sid2string(sid:ace[1]); # workaround is to deny access to everyone if (sid == '1-1-0' && rights & FILE_WRITE_DATA) { if (type == ACCESS_DENIED_ACE_TYPE) vuln = FALSE; } } } # close in case we exit close_registry(); if(!vuln) exit(0, "The remote host has a workaround applied preventing access to 'vgx.dll'"); emet_info = ''; emet_installed = FALSE; emet_with_ie = FALSE; # EMET 3.0 does not mitigate this issue # 4.1 needs to be installed to prevent exploitation emet_bad_version = FALSE; if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; if(emet_installed) { emet_version = get_kb_item_or_exit("SMB/Microsoft/EMET/Version"); if(ver_compare(ver:emet_version, fix:"4.1", strict:FALSE) == -1) emet_bad_version = TRUE; } # Check if EMET is configured with IE. # The workaround does not specifically ask to enable DEP # but if IE is configured with EMET, dep is enabled by default. if(!emet_bad_version) { emet_list = get_kb_list("SMB/Microsoft/EMET/*"); if (!isnull(emet_list)) { foreach entry (keys(emet_list)) { if ("iexplore.exe" >< entry && "/dep" >< entry) { dep = get_kb_item(entry); if (!isnull(dep) && dep == 1) emet_with_ie = TRUE; } } } } if (!emet_installed) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' + '\n installed.'; } else if (emet_installed) { if (!emet_with_ie) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' + '\n installed, however Internet Explorer is not configured with EMET.'; } if(emet_bad_version) { emet_info = '\n The version of Microsoft Enhanced Mitigation Experience Toolkit (EMET)' + '\n installed does not mitigate the vulnerability.'; } } if(emet_installed && emet_with_ie && !emet_bad_version) exit(0, "Enhanced Mitigation Toolkit is installed and configured with IE to prevent the vulnerability."); info_user_settings = ''; registry_init(); # check mitigation per user hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE); subkeys = get_registry_subkeys(handle:hku, key:''); foreach key (subkeys) { if ('.DEFAULT' >< key || 'Classes' >< key || key =~ "^S-1-5-\d{2}$") # skip built-in accounts continue; mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); if (isnull(value) && isnull(value1)) continue; # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); # check for IE enhanced protected mode configuration if(ie_epm_avail) { isolation_key = "\Software\Microsoft\Internet Explorer\Main\Isolation"; value = get_registry_value(handle:hku, item:key + isolation_key); if(value == "PMEM") { isolation_key_64 = "\Software\Microsoft\Internet Explorer\Main\Isolation64Bit"; value = get_registry_value(handle:hku, item:key + isolation_key_64); # if "Enable 64-bit processes for Enhanced Protected Mode" is an available setting in IE, # this registry will be initialized to 0 when "Enable Enhance Protected Mode" is set, # or set to 1 if both boxes are check. if(isnull(value) || value == 1) mitigation = TRUE; } } # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 || value == 3) && (value1 == 1 || value1 == 3)) mitigation = TRUE; if (!mitigation) { # we check enhanced protected mode setting in IE 11 / 10 only if(ie_epm_avail) info_user_settings += '\n ' + key + ' (Active Scripting Enabled and Enhanced Protected Mode Disabled)'; else info_user_settings += '\n ' + key + ' (Active Scripting Enabled)'; } } RegCloseKey(handle:hku); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # check for Group Policy Enhanced Protected Mode Mitigation if(ie_epm_avail) { value = get_registry_value(handle:hklm, item:"SOFTWARE\Policies\Microsoft\Internet Explorer\Main\Isolation"); if(value == "PMEM") { value = get_registry_value(handle:hklm, item:"SOFTWARE\Policies\Microsoft\Internet Explorer\Main\Isolation64Bit"); # if "Enable 64-bit processes for Enhanced Protected Mode" is an available setting in IE, # this registry will be initialized to 0 when "Enable Enhance Protected Mode" is set, # or set to 1 if both boxes are check. if(isnull(value) || value == 1) { RegCloseKey(handle:hklm); close_registry(); exit(0, "IE 11 Enhanced Protected Mode Mitigation is enabled."); } } } # check if user settings have been overridden by what is in HKLM # note: Security_HKLM_only can be set by group policy value = get_registry_value(handle:hklm, item:'SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only'); if (info_user_settings != '' && !isnull(value) && value == 1) { mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 || value == 3) && (value1 == 1 || value1 == 3)) mitigation = TRUE; if (mitigation) info_user_settings = ''; } RegCloseKey(handle:hklm); close_registry(); if (info_user_settings != '') { port = kb_smb_transport(); if (report_verbosity > 0) { if (emet_info != '') report = '\n' + 'The following users have vulnerable IE settings :' + info_user_settings + '\n' + emet_info + '\n'; else report = '\n' + 'The following users have vulnerable IE settings :' + info_user_settings + '\n'; report += '\n' + 'Additionally, the remote host is missing a workaround to' + '\n' + 'restrict access to \'vgx.dll\'\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, "The host is not affected since an IE setting workaround has been applied.");NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-021.NASL description The remote host is missing Internet Explorer (IE) Security Update 2965111. The installed version of IE is affected by a memory corruption vulnerability that could allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 73805 published 2014-05-01 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73805 title MS14-021: Security Update for Internet Explorer (2965111) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73805); script_version("1.14"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2014-1776"); script_bugtraq_id(67075); script_xref(name:"CERT", value:"222929"); script_xref(name:"MSFT", value:"MS14-021"); script_xref(name:"MSKB", value:"2964358"); script_xref(name:"MSKB", value:"2964444"); script_name(english:"MS14-021: Security Update for Internet Explorer (2965111)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute(attribute:"synopsis", value: "The remote host has a web browser that is affected by a memory corruption vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2965111. The installed version of IE is affected by a memory corruption vulnerability that could allow an attacker to execute arbitrary code on the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-021"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1776"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/26"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-021'; kb = '2964358'; kbs = make_list(kb, '2964444'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / 2012 R2 # # - Internet Explorer 11 with KB2919355 applied hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.17105", min_version:"11.0.9600.17041", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 11 without KB2919355 applied hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.16661", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:'2964444') || # Windows 8 / 2012 # # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.21024", min_version:"10.0.9200.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.16897", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 7 / 2008 R2 # - Internet Explorer 11 with KB2929437 applied hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.17105", min_version:"11.0.9600.17041", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 11 without KB2929437 applied hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"11.0.9600.16661", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:'2964444') || # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.21024", min_version:"10.0.9200.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.16897", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20657", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16546", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22657", min_version:"8.0.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18446", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20657", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16546", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23588", min_version:"8.0.6001.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19529", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23377", min_version:"7.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.19087", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23588", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21383", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5328", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23588", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21383", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6550", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
The Hacker News
id THN:480A87493B203474175A47FD14903623 last seen 2018-01-27 modified 2014-04-28 published 2014-04-27 reporter Mohit Kumar source https://thehackernews.com/2014/04/new-zero-day-vulnerability-cve-2014.html title New Zero-Day Vulnerability CVE-2014-1776 Affects all Versions of Internet Explorer Browser id THN:379C7267466A59AC1D0170162336F765 last seen 2018-01-27 modified 2014-05-01 published 2014-05-01 reporter Wang Wei source https://thehackernews.com/2014/05/microsoft-patches-internet-explorer.html title Microsoft Patches Internet Explorer Zero-Day Vulnerability, Even for Windows XP
References
- http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
- https://technet.microsoft.com/library/security/2963983
- http://www.signalsec.com/cve-2014-1776-ie-0day-analysis/
- http://securitytracker.com/id?1030154
- http://secunia.com/advisories/57908
- http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx
- http://www.securityfocus.com/bid/67075
- http://www.kb.cert.org/vuls/id/222929
- http://www.osvdb.org/106311
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-021