what you don't know can hurt you

Microsoft Internet Explorer ShowSaveFileDialog() Sandbox Bypass

Microsoft Internet Explorer ShowSaveFileDialog() Sandbox Bypass
Posted Jul 16, 2014
Authored by VUPEN | Site vupen.com

VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Internet Explorer. The vulnerability is caused due to an invalid handling of a sequence of actions aimed to save a file when calling "ShowSaveFileDialog()", which could be exploited by a sandboxed process to write files to arbitrary locations on the system and bypass IE Protected Mode sandbox. Versions 8, 9, 10, and 11 are affected.

tags | advisory, arbitrary, bypass
advisories | CVE-2014-2777
MD5 | f7525fc447e886eca4d40ed810bafdea

Microsoft Internet Explorer ShowSaveFileDialog() Sandbox Bypass

Change Mirror Download
VUPEN Security Research - Microsoft Internet Explorer
"ShowSaveFileDialog()" Protected Mode Sandbox Bypass (Pwn2Own 2014)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen


I. BACKGROUND
---------------------

"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)


II. DESCRIPTION
---------------------

VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.

The vulnerability is caused due to an invalid handling of a sequence
of actions aimed to save a file when calling "ShowSaveFileDialog()",
which could be exploited by a sandboxed process to write files to
arbitrary locations on the system and bypass IE Protected Mode sandbox.


III. AFFECTED PRODUCTS
---------------------------

Microsoft Internet Explorer 11
Microsoft Internet Explorer 10
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8


IV. SOLUTION
----------------

Apply MS14-035 security update.


V. CREDIT
--------------

This vulnerability was discovered by VUPEN Security.


VI. ABOUT VUPEN Security
---------------------------

VUPEN is the leading provider of defensive and offensive cyber security
intelligence and advanced zero-day research. All VUPEN's vulnerability
intelligence results exclusively from its internal and in-house R&D
efforts conducted by its team of world-class researchers.

VUPEN Solutions: http://www.vupen.com/english/services/


VII. REFERENCES
----------------------

https://technet.microsoft.com/library/security/ms14-035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2777


VIII. DISCLOSURE TIMELINE
-----------------------------

2011-02-12 - Vulnerability Discovered by VUPEN Security
2014-03-14 - Vulnerability Reported to ZDI and Microsoft During Pwn2Own 2014
2014-06-10 - Vulnerability Fixed by Microsoft
2014-07-16 - Public disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    0 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close