Microsoft Internet Explorer 6 through 11 Arbitrary Code Execution

high Nessus Network Monitor Plugin ID 8240

Synopsis

This is a deprecated warning regarding the version of Microsoft Internet Explorer on the remote host; NNM cannot determine passively whether or not the browser has been patched.

Description

Unpatched versions of Internet Explorer 6 through 11 contain a vulnerability that bypasses both of Windows' ASLP and DEP protections, though current attacks in the wild have been targeting versions 9 and onward. An attacker could leverage this to execute arbitrary code within the context of the user running the browser.

Solution

Review and upgrade the Internet Explorer browser.

See Also

https://technet.microsoft.com/library/security/2963983

http://community.websense.com/blogs/securitylabs/archive/2014/02/14/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx

http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html

http://www.us-cert.gov/ncas/current-activity/2014/05/01/Microsoft-Releases-Security-Update-Internet-Explorer-Use-After-Free

Plugin Details

Severity: High

ID: 8240

Family: Web Clients

Published: 4/29/2014

Updated: 3/6/2019

Nessus ID: 72605

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:ie

Vulnerability Publication Date: 4/26/2014

Exploitable With

CANVAS (CANVAS)

Metasploit (windows/browser/ms14_012_cmarkup_uaf.rb)

Reference Information

CVE: CVE-2014-0322

BID: 65551