VUPEN Security Research - Microsoft Internet Explorer "ShowSaveFileDialog()" Sandbox Bypass (Pwn2Own 2014)

2014-07-21T00:00:00
ID SECURITYVULNS:DOC:30935
Type securityvulns
Reporter Securityvulns
Modified 2014-07-21T00:00:00

Description

VUPEN Security Research - Microsoft Internet Explorer "ShowSaveFileDialog()" Protected Mode Sandbox Bypass (Pwn2Own 2014)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND

"Microsoft Internet Explorer is a web browser developed by Microsoft and included as part of the Microsoft Windows line of operating systems with more than 60% of the worldwide usage share of web browsers." (Wikipedia)

II. DESCRIPTION

VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Internet Explorer.

The vulnerability is caused due to an invalid handling of a sequence of actions aimed to save a file when calling "ShowSaveFileDialog()", which could be exploited by a sandboxed process to write files to arbitrary locations on the system and bypass IE Protected Mode sandbox.

III. AFFECTED PRODUCTS

Microsoft Internet Explorer 11 Microsoft Internet Explorer 10 Microsoft Internet Explorer 9 Microsoft Internet Explorer 8

IV. SOLUTION

Apply MS14-035 security update.

V. CREDIT

This vulnerability was discovered by VUPEN Security.

VI. ABOUT VUPEN Security

VUPEN is the leading provider of defensive and offensive cyber security intelligence and advanced zero-day research. All VUPEN's vulnerability intelligence results exclusively from its internal and in-house R&D efforts conducted by its team of world-class researchers.

VUPEN Solutions: http://www.vupen.com/english/services/

VII. REFERENCES

https://technet.microsoft.com/library/security/ms14-035 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2777

VIII. DISCLOSURE TIMELINE

2011-02-12 - Vulnerability Discovered by VUPEN Security 2014-03-14 - Vulnerability Reported to ZDI and Microsoft During Pwn2Own 2014 2014-06-10 - Vulnerability Fixed by Microsoft 2014-07-16 - Public disclosure