Microsoft patches Internet Explorer vulnerability offered to Hacking Team

The use-after-free flaw was discovered within the Hacking Team emails

patch windows
Credit: Michael Hiemstra (modified)

On Tuesday, as part of their monthly updates, Microsoft released a fix for Internet Explorer that addresses twenty-nine different vulnerabilities. One of them is a previously unknown vulnerability offered up to Hacking Team that researchers discovered in the company's leaked emails.

Hacking Team, an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies, suffered a serious breach last week that led to the release of 400GB of data.

The leaked files included source code, sales contracts, corporate emails, and more. The incident has already resulted in three patches from Adobe, and now Microsoft has addressed flaws in its software that were being offered to the company by developers.

According to Vectra Networks, the vulnerability fixed by Microsoft impacts fully patched versions of Internet Explorer 11 on both Windows 7 and Windows 8.1.

The problem is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, Vectra said in a blog post, it could allow an attacker to bypass protections found in standard memory.

The vulnerability was discovered when Vectra researchers noticed an email from someone attempting to sell a proof-of-concept exploit to Hacking Team.

"The email described an exploitable use-after-free bug in IE 11. While Hacking Team declined to buy the PoC, the email gave enough information for Vectra researchers to find and analyze the bug. After approaching Hacking Team, the researcher may have gone elsewhere to sell the bug, and if successful it may have been exploited in the wild," the company explained.

It's worth mentioning that Microsoft credits Vectra Networks, Trend Micro, and FireEye with the discovery of CVE-2015-2425, but Vectra has stated the flaw they discovered was a use-after-free vulnerability in IE's JScript engine (CVE-2015-2419). Either way, both vulnerabilities were patched in the same bulletin.

The Vectra blog post contains additional details on the flaw, and the email it came from.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.