HP's Zero Day Initiative (ZDI) Monday disclosed four unpatched zero-day vulnerabilities in Internet Explorer Mobile that can enable a remote attacker to execute arbitrary code.
Three of the bugs are use-after-free vulnerabilities that exist within the handling of CTreePos objects, CCurrentStyle objects and CAttrArray objects, advisories issued by Microsoft indicated. The fourth flaw is an out-of-bounds memory access vulnerability related to how Internet Explorer processes arrays representing cells in HTML tables, one advisory said.
All of the vulnerabilities – which require interaction in order to be exploited, meaning a user would have to open a malicious file or click on a malicious link – remain unpatched despite Microsoft being notified by ZDI more than 120 days ago, the time limit ZDI allows before publicly announcing a vulnerability.
A spokesperson for Microsoft told SCMagazine.com Friday that when ZDI first notified Microsoft of the four vulnerabilities within the desktop app they were promptly addressed.
“Several months later ZDI came back and said they had reprogrammed the disclosures for the phone,” the spokesperson said, adding that Microsoft is addressing the issue, but couldn't say when a patch would be released.
In each of the Microsoft advisories, users are told to “configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.”