TippingPoint Zero Day Initiative

(0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code Execution Vulnerability

ZDI-14-403: December 4th, 2014


CVSS Score

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 16284. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The vulnerability relates to how Internet Explorer uses reference counting to manage the lifetimes of the in-memory objects representing HTML elements (CElement objects). By applying a CSS style of display:run-in to a page and performing particular manipulations, an attacker can cause an object's reference count to fall to zero prematurely, causing the object to be freed. Internet Explorer will then continue using this object after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.

Vendor Response

Microsoft states:

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

06/03/2014 - ZDI sent disclosure to the vendor
06/03/2014 - Vendor acknowledged
(vendor provided regular updates)
11/14/2014 - Vendor notified they will not make 180-days (actual timeline was 120-days)
11/19/2014 - ZDI notified of intent to publish 0-day and requested mitigation

-- Mitigations:

- In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

- An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use these vulnerabilities to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of these vulnerabilities through the web-based attack scenario.

- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates these vulnerabilities. See the FAQ section for these vulnerabilities for more information about Internet Explorer Enhanced Security Configuration.

- Set Internet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

- Install EMET, The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer. For more information about EMET, see The Enhanced Mitigation Experience Toolkit.

Disclosure Timeline

    2014-06-03 - Case submitted to the ZDI
    2014-12-04 - Public release of advisory


This vulnerability was discovered by:
    Arthur Gerkis