HP has disclosed 4 vulnerabilities in Internet Explorer which allow an attacker to take full control of a computer and for which no patches from Microsoft are available yet. The vulnerabilities were found as part of the HP Zero Day Initiative. Through this initiative HP rewards security researchers for reporting new vulnerabilities.
One of the 4 vulnerabilities was demonstrated during the Pwn2Own Mobile contest and reported to Microsoft in November. HP has the policy to disclose vulnerabilities after 90 days. Microsoft requested additional time to resolve the issue but didn’t meet the new deadline as well. Therefore HP decided to disclose the vulnerability, which is a leak in all versions of Internet Explorer including IE on Windows Phone.
To exploit the vulnerability an user would need to visit a malicious or hacked website, see an infected advertisement or open a malicious file. Once the computer is infected, the attacker can run any code with the privileges of the loggedin user.
The other 3 vulnerabilities were reported to Microsoft in January and have the same impact. Microsoft again requested more time to patch the issues and again didn’t meet the deadline after which HP decided to disclose the 3 leaks.
Users that want to protect themselves from these vulnerabilities are advised to not allow Active Scripting in Internet Explorer in The Internet and Local Intranet security zones or require permission before Active Scripts are executed. Users should also be cautious when visiting unknown or shady websites.