IE Zer0-day: Internet Explorer Browser Exploit

April 29, 2014 by Brad Garnett

Microsoft recently acknowledged and issued a security advisory (Microsoft Security Advisory 2963983) regarding a vulnerability that would allow remote code execution (RCE) in all versions for Internet Explorer (version 6-11 published). Remote Code Execution means a drive-by installation of malicious code delivered to the user's browser by visiting a specially crafted website that is designed to exploit this vulnerability. If an attacker exploits this vulnerability and the PC user visits the website, the attacker will now the same user rights to the local computer. If the current user has administrative rights, the attacker could take complete control of an affected computer and begin pivoting into other computers (or systems) on the local network. The attacker could create additional user accounts, install programs or additional malware for a backdoor into the computer, and edit/delete data.  Department of Homeland Security (DHS) and other security companies are giving this a HIGH and CRITICAL impact score levels. In other words, this vulnerability (officially assigned CVE-2014-1776) is being used in targeted attacks with significant impact on an array of affected users based on IE's market share, and is currently being actively investigated with no patch yet available. Microsoft will publish a solution or recommend users apply a patch once one is available. This vulnerability may become labeled as the "VML bug", based on it exploiting the Vector Markup Language (VML), which is considered deprecated.

So what can I do?

Microsoft recommends the following workarounds and suggested actions:

  • Deploy the Enhanced Mitigation Experience Toolkit 4.1
  • Set Internet and Local Intranet security zone settings to "High" to block ActiveX Control and Active Scripting in these zones. (Note: This may cause some websites to work incorrectly. If you are sure a site is safe it can be added as a trusted site.).

  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone (Note: This may cause some websites to work incorrectly. If you are sure a site is safe it can be added as a trusted site.)
  • Unregister VGX.DLL (Note: Once a patch is released from Microsoft you'll need administrator privileges to re-register this DLL)

  • Enable Enhanced Protected Mode for Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode

Are you still a Windows XP user?

End of life for Windows XP was April 8, 2014. Microsoft no longer supports Windows XP and will not be releasing any updates for Windows XP. Un-register VGX.DLL and never re-register it. Contact your IT Consultant and options for upgrading your exiting Windows XP computer systems. Until Microsoft releases a patch for this specific vulnerability and as a separate workaround, you can use an alternative browser such as Google Chrome or Mozilla Firefox for web browsing.

Please feel free to contact your Kemper IT Consultant on a solution that is specific to your environment.

 

References:

Microsoft Security Advisory 2963983- https://technet.microsoft.com/en-us/library/security/2963983.aspx

National Vulnerability Database- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1776

Feeds

Questions?

Have a question or need more information? Talk to us today about what we can do for your business.

Contact Us »

E-news

Join our mailing list to keep up with the latest technology services and trends.