Security Alert: IE Zero-Day Vulnerability Discovered in Targeted Attacks
FireEye Research Labs has recently discovered targeted attacks which exploit a critical zero-day vulnerability and affect all versions of Internet Explorer (IE). FireEye has disclosed this vulnerability to Microsoft, whom has assigned CVE-2014-1776 to the vulnerability with a severity of 10 and has published Security Advisory 2963983 detailing the issue.
This exploit works in several stages ultimately resulting in arbitrary code execution within the context of the current user. Perhaps most notably, techniques used in the exploit are able to effectively bypass security features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Note: Internet Explorer running on Windows Server with Enhanced Security Configuration enabled is protected against this vulnerability. All other Windows platforms are vulnerable.
At the moment, most of the available technical details regarding this vulnerability have been published by FireEye.
There are several options available to prevent this exploit from succeeding:
- Apply a security patch as soon as it is released by Microsoft.
- Utilize Microsoft's Exploit Mitigation Experience Toolkit (EMET) version 4.1 or 5.0.
Note: Applies to Windows XP -- this is critical as it is not yet confirmed if Windows XP will be receiving a security patch to resolve this issue.
- Enable Enhanced Protection Mode (EPM) in IE10 and IE11.
- Disable the Flash plugin within IE.
- Un-register VGX.DLL: "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
Note: This can cause applications that depend on this module to fail, but several of our security partners cite this option because VGX.dll has also been implicated in other recent critical vulnerabilities (CVE-2013-2551, CVE-2013-0030).
Detection / Protection
Check Point IPS:
Signature: Microsoft Internet Explorer Remote Code Execution (CVE-2014-1776)
Palo Alto Networks IPS:
Source: content-433-2194 release notes
Update: SEU 1097 / SRU 2014-04-28-002
SIDs: 30794, 30803
Source: SRU 04-28-2014-002
Web Attack: MSIE use after free CVE-2014-1776
Source: Symantec Security Blog
Coverage: IPS (Regular DB) / VCM