On April 26th 2014, Microsoft released a security advisory (2963983) for a zero-day vulnerability in Internet Explorer (CVE-2014-1776). Exploitation of the vulnerability is reportedly being used in limited, targeted attacks. The vulnerability exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. There is currently no patch available for this vulnerability and Microsoft did not provide a release date for a patch.
Windows users running vulnerable versions of Internet Explorer are at risk, when visiting compromised websites containing malicious code to exploit this vulnerability.
According to Microsoft, The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
On completion of this investigation, Microsoft will take the appropriate action to protect customers, which may include providing a solution through the monthly security update release process, or an out-of-cycle security update, depending on customer needs.
- An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the currently logged-in user.
- Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.
- Microsoft Internet Explorer 6
- Microsoft Internet Explorer 7
- Microsoft Internet Explorer 8
- Microsoft Internet Explorer 9
- Microsoft Internet Explorer 10
- Microsoft Internet Explorer 11
SYMANTEC MSS SOC DETECTION CAPABILITIES:
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
- Cisco IPS
- HP TippingPoint
- ISS Network IDS
- McAfee Intrushield
- Palo Alto
- Snort/Sourcefire VRT
- Symantec SEP/AV:
- Symantec SEP/IPS:
- Web Attack: MSIE Use After Free CVE-2014-1776
This list of detection capabilities represents a snapshot of current detection. Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices. As threats evolve, detection for those threats can and will evolve as well.
Microsoft Internet Explorer users who are concerned about this vulnerability can follow these mitigation steps:
- Apply the updates from Microsoft as soon as they become available.
- Do not use Microsoft Internet Explorer until the patch for this vulnerability has been installed.
- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Microsoft Suggested Workarounds:
- Workaround details: https://technet.microsoft.com/library/security/2963983
- Deploy the Enhanced Mitigation Experience Toolkit 4.1 (EMET). Note: EMET 3.0 does not mitigate this issue.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
- Unregister VGX.DLL.
- Modify the Access Control List on VGX.DLL to be more restrictive.
- Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode.
Recommended Best Practices
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
- Run all software as a non-privileged user with minimal access rights.
- To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Do not follow links or open email attachments provided by unknown or untrusted sources.
- Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
- Symantec encourages users to apply all relevant patches when they are available.
For additional information related to this threat/vulnerability please reference the following links:
- Zero-Day Internet Explorer Vulnerability Let Loose in the Wild
- Microsoft Security Advisory 2963983