Microsoft fixes 0day vulnerability in Internet Explorer for Windows XP

A few days ago we wrote about the discovered 0day vulnerability CVE-2014-1776, which is present in all versions of Internet Explorer 6-11 for all operating systems, starting with Windows XP no longer supported and ending with Windows 8 / 8.1 (see SA 2963983 ). An in-the-wild exploit for this vulnerability targets IE attacker versions 9-11 and uses a specially crafted Flash Player object to bypass ASLR through heap-spray (ActionScript, see heap feng shui ) and DEP through ntdll-ROP. This SWF object is loaded into the browser through a malicious web page, which is responsible for creating the necessary conditions for the use-after-free vulnerability in IE. We added this Flash Player object to the database as SWF / Exploit.CVE-2014-1776.A .



Today, Microsoft has released a notice of the release of security update MS14-021 , which states that the company will release an unplanned update to fix this vulnerability in the coming hours, and Windows XP users will receive the update (the update fixes the vulnerability not only in the browser itself, but also in ). Recall that the company has closed support for Windows XP with the last patch tuesday of April 8, releasing the latest scheduled updates for it.
')
The update will be delivered for all operating systems starting from Windows XP and ending with Windows 8.1 through the Windows Update service. To use it, you need to restart




be secure.