By: Andy Sherman on April 28th, 2014

New Microsoft IE Zero-Day Vulnerability

shutterstock_99673604 Back to other vulnerabilities and security issues. The first vulnerability since XP went out of support has been reported, although not yet patched. Once the patch is out for supported versions, though, it will remain a zero-day for XP. Here's a preview of a FAQ I'm preparing for our clients at work.

What is the security alert?

Microsoft has issued a security advisory (2963983) based on research done by FireEye announcing a zero-day vulnerability in all versions of IE from IE6 through IE11. There is a bug in the way that IE accesses invalid memory (e.g. use after free) that can be exploited using Flash to allow remote code execution. According to FireEye, this vulnerability is NOT mitigated by either Address Space Location Randomization (ASLR) or Data Execution Protection (DEP).

This vulnerability has been designated CVE-2014-1776 in the National Vulnerability Database.

Both Microsoft and FireEye have warned that this vulnerability is being actively exploited in limited targeted attacks.

What is the impact?

The vulnerability allows a web site to cause IE to execute remotely provided code in the user’s security context. Microsoft notes that the attacker must convince users to visit the website hosting the exploit – but the success of other phishing operations would indicate that this is not difficult to accomplish.

Which versons of IE are vulnerable?

All versions of IE, from IE6 to IE11 on all versions of Windows, both desktop and server, are vulnerable.

Note that this is the first major vulnerability since the end of support for Windows XP. THERE WILL BE NO PATCH FOR XP.

Is there an active attack on this vulnerability?

There is currently a limited and targeted attack campaign targeting the U.S. Financial and Defense sectors. However, until the vulnerability is patched, any system running IE is at risk and the attackers can easily pivot to exploit another sector.

Can I do anything to mitigate this vulnerability?

The exploit requires Adobe Flash. Disabling the Flash plugin in IE stops the exploit. If you need Flash, adopt a dual-browser strategy and only enable flash in the non-IE browser.

Running IE in a restricted mode known as “Enhanced Security Configuration” mitigates the vulnerability. This is the default configuration for IE on all Windows Server versions since Windows Server 2003. You could consider enabling this option on desktop builds, but you will need to test the impact on the applications you use.

All supported versions of Outlook, Outlook Express, and Windows Mail open HTML messages in the Restricted Zone, which disables scripts and Active-X controls. That greatly reduces the ability of an attacker executing code automatically through a drive-by email attack.

Code run by the attacker runs with the rights of the user. Users should not routinely surf the web with administrative rights, and administrative users should be sure to have User Account Control enabled in Windows Vista and above.

Microsoft lists a number of additional workarounds to be considered:

Deploy the Enhanced Mitigation Experience Toolkit (EMET) 4.1 or 5.0. Note that this is not available for Windows XP.
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones. Add sites that you trust to the Internet Explorer Trusted sites zone if this breaks them.
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
Unregister VGX.DLL until the vulnerability is patched if you don’t need to render VML.
Modify the Access Control List on VGX.DLL to be more restrictive.
Enable Enhanced Protected Mode (EPM) for Internet Explorer 10 and 11 and Enable 64-bit Processes for Enhanced Protected Mode. FireEye reports that EPM will stop the exploit.

Once a patch is available install it, although this option will not be available for Windows XP.

What do I do if I'm on XP?

If you are on Windows XP the best thing to do is to upgrade to Windows 7 or Windows 8 as soon as possible. For your systems at home with no other enterprise protections, you should do that immediately.

We recognize that enterprises that are currently executing migration plans cannot complete them immediately. Things that an enterprise can do to help reduce the risk of this vulnerability for XP systems are:

Adopt a dual browser strategy and make the non-IE browser the default for XP endpoints. Users will do most of their web surfing in the other browser and use IE when a web application requires it.
Disable the Flash plugin in IE. If you need Flash for a particular application, adopt a dual browser strategy and only enable Flash in the non-IE browser.
Apply as many of the Microsoft workarounds as you can and keep them active on your XP systems even after a patch is available for supported versions of Windows.
Use an enterprise grade web filter and keep its URL filters up-to-date. To the extent that exploit sites get on the radar of the web security vendors they will be blocked.
Use an endpoint security product that includes firewall, intrusion prevention and behavioral filtering in addition to antivirus.
Accelerate your migration program as much as is practical.

About Andy Sherman

Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.