Microsoft Internet Explorer EditWith Broker API Sandbox Escape Vulnerability

2015-07-20T00:00:00
ID ZDI-15-342
Type zdi
Reporter Ashutosh Mehra (https://twitter.com/ashutoshmehra)
Modified 2015-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer running in either Protected Mode or Enhanced Protected Mode. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the EditWith function of the document broker. The document broker can be induced to use a file path from a registry key that is controlled by the low integrity process. This can be changed while the broker is attempting to use it, resulting in a race condition and the execution of arbitrary executables at medium integrity.