Zero-day vulnerability in Microsoft Internet Explorer

CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.

Exploited by Hurricane Panda.

Advisory: SB2014101406 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2014-4123

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description:

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate permissions. A remote attacker can gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Hurricane Panda

Hurricane Panda is an attack targeting major infrastructure companies.

Attack was detected in 2013 and is believed to be of Chinese origin.

External links:

https://blogs.technet.microsoft.com/srd/2014/10/14/assessing-risk-for-the-october-2014-security-upda...
https://technet.microsoft.com/library/security/ms14-056
https://blog.qualys.com/laws-of-vulnerabilities/2014/10/14/october-2014-patch-tuesday
https://www.symantec.com/security_response/vulnerability.jsp?bid=70326
http://www.darkreading.com/attacks-breaches/hurricane-panda-cyberspies-used-windows-zero-day-for-mon...
https://computerobz.wordpress.com/2014/10/22/october-2014-patch-tuesday-addresses-four-active-zero-d...