THREAT OVERVIEW:
On April 26th 2014, Microsoft released a security advisory (2963983) for a zero-day vulnerability in Internet Explorer (CVE-2014-1776). Exploitation of the vulnerability is reportedly being used in limited, targeted attacks. The vulnerability exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. There is currently no patch available for this vulnerability and Microsoft did not provide a release date for a patch.
Windows users running vulnerable versions of Internet Explorer are at risk, when visiting compromised websites containing malicious code to exploit this vulnerability.
THREAT DETAILS:
According to Microsoft, The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
On completion of this investigation, Microsoft will take the appropriate action to protect customers, which may include providing a solution through the monthly security update release process, or an out-of-cycle security update, depending on customer needs.
IMPACT:
- An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the currently logged-in user.
- Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.
AFFECTED SOFTWARE:
- Microsoft Internet Explorer 6
- Microsoft Internet Explorer 7
- Microsoft Internet Explorer 8
- Microsoft Internet Explorer 9
- Microsoft Internet Explorer 10
- Microsoft Internet Explorer 11
MITIGATION STRATEGIES:
Microsoft Internet Explorer users who are concerned about this vulnerability can follow these mitigation steps:
- Apply the updates from Microsoft as soon as they become available.
- Do not use Microsoft Internet Explorer until the patch for this vulnerability has been installed.
Mitigating Factors
- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
Microsoft Suggested Workarounds:
- Workaround details: https://technet.microsoft.com/library/security/2963983
- Deploy the Enhanced Mitigation Experience Toolkit 4.1 (EMET). Note: EMET 3.0 does not mitigate this issue.
- Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
- Unregister VGX.DLL.
- Modify the Access Control List on VGX.DLL to be more restrictive.
- Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode.
