Microsoft released
16 security updates during its Patch Tuesday release for November 2014, among which includes CVE-2014-6332, or the Windows OLE Automation Array Remote Code Execution Vulnerability (covered in MS14-064). We would like to bring attention to this particular vulnerability for the following reasons:
- It impacts almost all Microsoft Windows versions from Windows 95 onward.
- A stable exploit exists and works in versions of Internet Explorer from 3 to 11, and can bypass operating system (OS) security utilities and protection such as Enhanced Mitigation Experience Toolkit (EMET), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR),and Control-Flow Integrity (CFI).
- Proof of concept (PoC) exploit code has recently been published by a Chinese researcher named Yuange1975.
- Based on the PoC, it’s fairly simple to write malicious VBScript code for attacks.
- Attackers may soon utilize the PoC to target unpatched systems.
About the CVE-2014-6332 Vulnerability
The bug is caused by improper handling resizing an array in the Internet Explorer VBScript engine. VBScript is the default scripting language in ASP (Active Server Pages). Other browsers like Google Chrome do not support VBScript, but Internet Explorer still supports it via a legacy engine to ensure backward compatibility.
