Skip to main content

Security Alert: IE Zero-Day Vulnerability Discovered in Targeted Attacks

April 29, 2014

Summary

FireEye Research Labs has recently discovered targeted attacks which exploit a critical zero-day vulnerability and affect all versions of Internet Explorer (IE). FireEye has disclosed this vulnerability to Microsoft, whom has assigned CVE-2014-1776 to the vulnerability with a severity of 10 and has published Security Advisory 2963983 detailing the issue.

Impact

This exploit works in several stages ultimately resulting in arbitrary code execution within the context of the current user. Perhaps most notably, techniques used in the exploit are able to effectively bypass security features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Note: Internet Explorer running on Windows Server with Enhanced Security Configuration enabled is protected against this vulnerability. All other Windows platforms are vulnerable.

Exploitation

At the moment, most of the available technical details regarding this vulnerability have been published by FireEye.

Exploitation begins by directing a target to a malicious website which loads malicious Flash content. This Flash file will prepare the heap memory space to contain the exploit payload in a memory location which can be determined at run-time. Next, a Javascript callback is made to exploit this vulnerability and allow arbitrary memory access. Finally, the exploit code is injected into the method of a Flash object where it is then invoked and the exploit payload executed, which ultimately makes HTTP requests to download the next stage of the exploit (malware payload).

Mitigation

There are several options available to prevent this exploit from succeeding:

  • Apply a security patch as soon as it is released by Microsoft.
     
  • Utilize Microsoft's Exploit Mitigation Experience Toolkit (EMET) version 4.1 or 5.0.
    Note: Applies to Windows XP -- this is critical as it is not yet confirmed if Windows XP will be receiving a security patch to resolve this issue.
     
  • Enable Enhanced Protection Mode (EPM) in IE10 and IE11.
     
  • Disable the Flash plugin within IE.
     
  • Un-register VGX.DLL: "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
    Note: This can cause applications that depend on this module to fail, but several of our security partners cite this option because VGX.dll has also been implicated in other recent critical vulnerabilities (CVE-2013-2551, CVE-2013-0030).

Detection / Protection

Check Point IPS:

Signature:            Microsoft Internet Explorer Remote Code Execution (CVE-2014-1776)
Source:                CPAI-2014-1481

Palo Alto Networks IPS:

Update:                433-2194
Signature:             36435
Source:                 content-433-2194 release notes

Sourcefire IPS:

Update:                 SEU 1097 / SRU 2014-04-28-002
SIDs:                     30794, 30803
Source:                 SRU 04-28-2014-002

Symantec IPS/AV:

Web Attack:          MSIE use after free CVE-2014-1776
Malware:               Bloodhound.Exploit.552
Source:                 Symantec Security Blog

FortiGuard:

Vulnerability:        MS.IE.StyleLayout.Handling.Memory.Corruption
Coverage:             IPS (Regular DB) / VCM
Source:                 FortiGuard

Related Blogs

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

March 07, 2014

Behind the Curtains of New War: Bringing Cyber War to the Crimean Peninsula

Gone are the days where military conflict was contained within geographical boundaries limited to the range of the physical machines of war on the bat...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

May 09, 2018

Application Security

Learn how Optiv can help protect your most critical enterprise applications from both internal and external threats.

See Details

September 28, 2016

Enterprise Security Program Assessment

Learn how Optiv's Executive Security Awareness program can find and address security vulnerabilities for your company's executives.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.