Zero-day vulnerability in Microsoft Internet Explorer

Privilege escalation
CVE-2014-4123

CrowdStrike first detected the attacks in spring.
The zero-day reported by CrowdStrike was also reported by FireEye.
The issue has been introduced in 07/27/2005.
The vulnerability was handled as a non-public zero-day exploit for at least 3366 days.

Exploited by Hurricane Panda.

Vulnerability details

Advisory: SB2014101406 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2014-4123

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description:

The vulnerability allows a remote attacker to obtain elevated privileges on the target system.

The weakness exists due to the failure to properly validate permissions. A remote attacker can gain elevated privileges and execute arbitrary code on the affected system.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.


Known APT campaigns:

Hurricane Panda

Hurricane Panda is an attack targeting major infrastructure companies.

Attack was detected in 2013 and is believed to be of Chinese origin.