On April 26, 2014, Microsoft released Security Advisory 2963983 to notify customers of a vulnerability in Internet Explorer. At this time, Microsoft is aware of limited, targeted attacks and encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.
An attacker could trigger a Zero-Day Internet Explorer exploit through a malicious webpage that the targeted user has to access with one of the affected IE browsers (IE 6 through 11). If the attacker is successful, they can run code in order to gain the same user rights as the current user. This all depends on the loading of a Flash SWF file that calls for a javascript vulnerability in IE to trigger the flaw, which also allows the exploit to bypass the windows ASLR (Address space layout randomization) and DEP (Data Execution Prevention) protections on the target system, exploiting the Adobe Flash plugin. More detail on how these work here.
Here is the scoop on this one: if you have an administrator who gets caught by this vulnerability, you will have problems. The good news is they only access the user they are trying to target. The interesting thing here: this is the first open vulnerability that will not be patched on XP. This is an IE vulnerability, but technically there is only one version of IE for XP and that is IE 8. Although they are only seeing cases of this in the wild that are hitting IE 9 to IE 11, IE 8 is still vulnerable and therefore a concern, as there is probably not going to be an official patch.
Until the next patch is available
Microsoft investigations has revealed that Enhanced Protected Mode, on by default for the modern browsing experience in Internet Explorer 10 and Internet Explorer 11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, will help protect against this potential risk. They encourage customers to follow the suggested mitigations outlined in Security Advisory 2963983 while an update is finalized.
Most will have to wait until the next patch on Tuesday, May 13, 2014, but I dug around and found a few resources that will help you:
- The hacker news : New Zero-Day Vulnerability CVE-2014-1776 Affects all Versions of Internet Explorer Browser.
- Trend Lab : Internet Explorer Zero-Day Hits All Versions In Use.
As suggested by Microsoft, install Enhanced Mitigation Experience Toolkit, a free utility that helps prevent vulnerabilities in software from being successfully exploited. And if you are using IE 10 or IE 11, enable Enhanced Protected Mode to prevent your browser from some Zero-Day Attacks.
You can also protect against exploitation by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting:
Tools / Internet Options / Security / Internet / Custom Level
- Under Scripting Settings: Disable Active Scripting
- Under Local intranet’s Custom Level Settings: Disable Active Scripting
IE Exploit will not work without Adobe Flash.
Users are advised to disable the Adobe Flash plugin within IE. This one is a good idea if you have XP systems: De-Register VGX.dll (VML parser) file, which is responsible for rendering of VML (Vector Markup Language) code in web pages, in order to prevent exploitation. Run following command:
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
There is more good news here. Some security vendors have created rules to protect against this threat. TrendMicro specifically talks about rules they’ve created to block files that would trigger this vulnerability using their tools.
Time for a change
There is one other easy (and, in my opinion, obvious) option: use another browser. There are many browsers out there that are very good, like Google Chrome or firefox.
Perhaps it is time for a change – changing either your browser or working towards phasing out Windows XP (it IS 13 years old after all — most people don’t even keep a car that long, let along some old software).
*
UPDATE (May 1st, 2014):
Microsoft has released an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Security Advisory 2963983. This will include all versions even those affecting windows XP this time. Microsoft still encourages customer to upgrade to windows 7 or 8.1 and to the latest version of IE 11. Also this should happen automatically if you have automatic updates enabled.
On Friday May 2nd at 2:00 EST Microsoft will present this information in a live webcast.