Today, Microsoft patched 59 Internet Explorer vulnerabilities, 21 of them discovered by Palo Alto Networks researchers. Palo Alto Networks is committed not only to detecting attacks, but preventing them as well.
Our internal research team discovered each of these 21 vulnerabilities and reported them to Microsoft so they could begin building and testing patches. Microsoft has already credited our team with 14 previous IE vulnerabilities in 2014, bringing our total for the year up to 35. We want to acknowledge Palo Alto Networks researchers Bo Qu, Hui Gao, Royce Lu, Xin Ouyang and the entire IPS team for all of the hard work they’ve put into discovering and validating these vulnerabilities.
Here’s what you need to know
- All 21 vulnerabilities are rated Critical because they allow for code execution without user interaction.
- The most-likely attack vectors are drive-by downloads through compromised websites and spear phishing e-mails which link to malicious web pages.
- We have not detected exploitation of these vulnerabilities in the wild at this time, but our threat intelligence team is monitoring for changes in the environment.
The table below provides a summary of the vulnerabilities and which versions of Internet Explorer they impact.
CVE Identifier | Title | 6 | 7 | 8 | 9 | 10 | 11 |
CVE-2014-1766 | Internet Explorer Memory Corruption Vulnerability | X | X | X | |||
CVE-2014-1775 | Internet Explorer Memory Corruption Vulnerability | X | X | X | X | X | X |
CVE-2014-1784 | Internet Explorer Memory Corruption Vulnerability | X | X | X | |||
CVE-2014-1785 | Internet Explorer Memory Corruption Vulnerability | X | |||||
CVE-2014-1789 | Internet Explorer Memory Corruption Vulnerability | X | |||||
CVE-2014-1791 | Internet Explorer Memory Corruption Vulnerability | X | X | X | X | X | |
CVE-2014-1796 | Internet Explorer Memory Corruption Vulnerability | X | X | X | X | X | |
CVE-2014-1799 | Internet Explorer Memory Corruption Vulnerability | X | X | X | X | X | X |
CVE-2014-1802 | Internet Explorer Memory Corruption Vulnerability | X | X | ||||
CVE-2014-1803 | Internet Explorer Memory Corruption Vulnerability | X | X | X | X | X | X |
CVE-2014-1804 | Internet Explorer Memory Corruption Vulnerability | X | |||||
CVE-2014-2755 | Internet Explorer Memory Corruption Vulnerability | X | |||||
CVE-2014-2756 | Internet Explorer Memory Corruption Vulnerability | X | X | ||||
CVE-2014-2759 | Internet Explorer Memory Corruption Vulnerability | X | X | X | |||
CVE-2014-2765 | Internet Explorer Memory Corruption Vulnerability | X | X | X | |||
CVE-2014-2766 | Internet Explorer Memory Corruption Vulnerability | X | X | X | |||
CVE-2014-2767 | Internet Explorer Memory Corruption Vulnerability | X | X | ||||
CVE-2014-2768 | Internet Explorer Memory Corruption Vulnerability | X | X | X | |||
CVE-2014-2769 | Internet Explorer Memory Corruption Vulnerability | X | X | ||||
CVE-2014-2770 | Internet Explorer Memory Corruption Vulnerability | X | |||||
CVE-2014-2771 | Internet Explorer Memory Corruption Vulnerability | X | X |
Internet Explorer is used in many of the networks Palo Alto Networks protects around the world and we’re doing our part to make it as secure as possible. Last week we released a series of IPS signatures to detect an advanced exploitation technique that takes advantage of ActiveX. In May, we linked a recent IE 0-day (CVE-2014-1776) to exploit code used against two other IE vulnerabilities exploited in the last 12 months.
Microsoft patched 129 IE vulnerabilities in all of 2013 and today’s release brings the 2014 total to 116. The faster the good guys track these down and get them patched, the harder we make the lives of the criminals looking to exploit them.