Researchers have discovered and publicly detailed four vulernabilities with Internet Explorer on up-to-date and fully patched versions of Windows Phone that could give an attacker the ability to remotely execute code on a user's device.
The research team at TippingPoint, owned by HP, first reported the issues to Microsoft in private in the hope that they would release a patch before word hit the streets. Microsoft asked for an extension beyond the normal four month privacy window given by TippingPoint, and these extensions expired on Sunday, allowing the researchers to publicly reveal the issues.
The first of the vulnerabilities relates to how Internet Explorer on Windows Phone handles arrays representing HTML tables. The vulnerability allows an attacker, through careful manipulation of a webpage, to access memory beyond the end of an array of HTML cells, giving them a way to execute code.
The other three vulnerabilities concern the handling of CAttrArray, CCurrentStyle, and CTreePos objects. Through the use of a malicious webpage, an attacker could "force a dangling pointer to be reused after it has been freed", again giving them a way to execute code.
All four of the vulnerabilities allow code execution "under the context of the current process", which suggests that the code would be contained within Internet Explorer's sandbox. This would prevent the code from accessing critical system functionality, although only if the attack wasn't combined with the use of a separate privilege-escalation exploit.
Microsoft is aware of the issues with Internet Explorer on Windows Phone, but it's unclear why the company hasn't issued a patch. In a statement to Ars Technica, Microsoft believes that "no attacks have been reported", saying the company will "continue to monitor the situation and will take appropriate steps to protect our customers."