|
National Cyber Awareness System: 11/14/2014 05:42 PM EST
Original release date: November 14, 2014
Systems Affected
OverviewA vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1] DescriptionThe Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory.[2] In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET). This vulnerability can be exploited using a specially-crafted web page utilizing _vbscript_ in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and _vbscript_. Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647. ImpactArbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system. SolutionAn update is available from Microsoft.[3] Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates. References
Revision History
This product is provided subject to this Notification and this Privacy & Use policy.
SUBSCRIBER SERVICES:
|
||||||||||||
