Microsoft Internet Explorer VBScript Memory Corruption Vulnerability Fixed by MS14-084


Description   (#A memory corruption vulnerability has been identified in the VBScript script engine of Internet Explorer.#A remote attacker could exploit it by inciting their victim to visit a malicious website or to open a file with a malicious ActiveX in order to execute arbitrary code with the user's rights.##This vulnerability is caused when Internet Explorer VBscript engine does not properly handle objects in memory.#Updated, 07/11/2016:#A proof of concept is available for this vulnerability.)
     
Vulnerable Products   Vulnerable Software:
Communication Manager (Avaya) - 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, ..., 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4Internet Explorer (Microsoft) - 6.0, 6.0, 6.0, 7.0, 7.0, ..., 8.0, 8.0, 8.0, 8.0, 8.0
     
Solution   Avaya recommends installing the security update as provided via Microsoft Windows and restrict local and network access to the server.
     
CVE   CVE-2014-6363
     
References   - MS14-084 : Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
https://technet.microsoft.com/library/en-us/security/ms14-084
- ASA-2014-520 : Avaya Security Announcement
https://downloads.avaya.com/css/P8/documents/101005718
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Web 2.0 : Detection of visual basic script embedded in web page
5.0.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2014-12-09 

 Target Type 
Client 

 Possible exploit 
Remote