Microsoft has confirmed a new zero-day vulnerability found in Internet Explorer. The vulnerability (CVE-2014-1776) affects ALL versions of Internet Explorer 6 through Internet Explorer 11.
Microsoft’s issued security advisory 2963983 report yesterday, April 26, acknowledging the vulnerability and that it is begin used for targeted attacks. The current attack campaigns are targeting Internet Explorer 9 through Internet Explorer 11.
According to Microsoft’s security report Internet Explorer is vulnerable to arbitrary code execution by the “way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.” Microsoft stated. The vulnerability allows an attacker to corrupt and execute arbitrary code into the browser. The attacker could corrupt the memory by hosting fake campaigns, along with numerous other methods of attack.
Microsoft is working with security firm Fireeye and has dubbed the ongoing campaigns “Operation Clandestine Fox”.
Fireeye security experts noted if an attacker successfully corrupts the memory, the attacker will gain the same amount of user access the host has. Exploits as such are huge security risks in business environments.
Internet Explorer Vulnerability Replying On Flash
Security researchers have stated there is no current security patch available for this vulnerability. Fireeye reported “in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market”.
Steps to Protect yourself from the Zero Day Vulnerability
As Microsoft is working on a patch and has not noted when the update will be, the next installment could be Tuesday, May 14, 2014. However security analysts note the following tips to protect yourself.
Install Enhanced Mitigation Experience Toolkit (EMET 4.1), a free program that helps prevent vulnerabilities in software from being successfully exploited.
You can protect yourself against exploitation by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting.
- Tools > Internet Options > Security > Internet > Custom Level > Under Scripting Settings > Disable Active Scripting
- Under Local intranet’s Custom Level Settings > Disable Active Scripting
If you are using Internet Explorer 10 or a higher version, enable Enhanced Protected Mode to protect your browser against the zero-day exploit.
The Internet Explorer update will not work without Adobe Flash, so users are currently being advised to disable the Adobe Flash plugin within IE.
De-Register VGX.dll (VML parser) file, which is responsible for rendering of VML (Vector Markup Language) code in web pages, in order to prevent exploitation. Run the following command:
- regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”
Hello Mr. Stosh,
can you explain to me, or point me to a source, which can explain to me the relevance of VML in the context of this exploit? How does VML (or deregistering it) relate to the vulnerability?
I would really appreciate an explanation.
But in short, the exploit relies on swf flash file to be loaded, or the Internet Explorer graphic wont load and arbitrary code cannot be executed. Not sure if this is what your asking, but thats as best I can explain in short from what I personally understand.
Basically I was not sure why de-registering VGX.dll (VML parser) would help.
Thank you for your time and have a nice day!
And yes, I don’t think that would be possible. It has to actually load the exploit via flash, to then execute arbitrary code. There are most likely permission issues trying to attack Internet Explorer directly as its a system application, not third party.
But concerning VGX.dll, I am not entirely sure.
Thank you, and you have a nice one too!