Microsoft will fix 0day vulnerability in Internet Explorer for Windows XP

A few days ago we wrote about the discovered 0day vulnerability CVE-2014-1776, which is present in all versions of Internet Explorer 6-11 for all operating systems, starting from the already unsupported Windows XP and ending with Windows 8 / 8.1 (see SA 2963983 ). An in-the-wild exploit for this vulnerability is aimed at attacking IE versions 9-11 and uses a specially crafted Flash Player object to bypass ASLR via heap-spray (ActionScript, see heap feng shui ) and DEP via ntdll-ROP. This SWF object is loaded into the browser through a malicious web page that is responsible for creating the necessary conditions for the use-after-free vulnerability in IE. We added this Flash Player object to the database as SWF / Exploit.CVE-2014-1776.A .



Today Microsoft released a notification on the release of security update MS14-021 , which states that the company will release an unscheduled update to fix this vulnerability in the coming hours, and users will also receive the update on Windows XP (the update fixes the vulnerability not only in the browser itself, but also in the OS ) Recall that the company closed support for Windows XP with the last patch tuesday of April 8, releasing the latest scheduled updates for it.

The update will be delivered for all operating systems from Windows XP to Windows 8.1 through the Windows Update service. To use it, you need a reboot.




be secure.