Attacks on Internet Explorer Zero-Day Vulnerability (CVE-2014-1776)

4

Microsoft has confirmed a new zero-day vulnerability found in Internet Explorer. The vulnerability (CVE-2014-1776) affects ALL versions of Internet Explorer 6 through Internet Explorer 11.

Microsoft’s issued security advisory 2963983 report yesterday, April 26, acknowledging the vulnerability and that it is begin used for targeted attacks. The current attack campaigns are targeting Internet Explorer 9 through Internet Explorer 11.

According to Microsoft’s security report Internet Explorer is vulnerable to arbitrary code execution by the “way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.” Microsoft stated. The vulnerability allows an attacker to corrupt and execute arbitrary code into the browser. The attacker could corrupt the memory by hosting fake campaigns, along with numerous other methods of attack.

Microsoft is working with security firm Fireeye and has dubbed the ongoing campaigns “Operation Clandestine Fox”.

Fireeye security experts noted if an attacker successfully corrupts the memory, the attacker will gain the same amount of user access the host has. Exploits as such are huge security risks in business environments.

Internet Explorer Vulnerability Replying On Flash
Internet Explorer vulnerability CVE-2014-1776 depends upon the execution of loading an SWF file that calls for javascript in the vulnerable version of Internet Explorer, which then triggers the flaw and allows the exploit to bypass Windows (ASLR and DEP) security features by exploiting the Adobe Flash plugin.

Security researchers have stated there is no current security patch available for this vulnerability. Fireeye reported “in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market”.

Steps to Protect yourself from the Zero Day Vulnerability
As Microsoft is working on a patch and has not noted when the update will be, the next installment could be Tuesday, May 14, 2014. However security analysts note the following tips to protect yourself.

Install Enhanced Mitigation Experience Toolkit (EMET 4.1), a free program that helps prevent vulnerabilities in software from being successfully exploited.

You can protect yourself against exploitation by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting.

  • Tools > Internet Options > Security > Internet > Custom Level > Under Scripting Settings > Disable Active Scripting
  • Under Local intranet’s Custom Level Settings > Disable Active Scripting

If you are using Internet Explorer 10 or a higher version, enable Enhanced Protected Mode to protect your browser against the zero-day exploit.

The Internet Explorer update will not work without Adobe Flash, so users are currently being advised to disable the Adobe Flash plugin within IE.

De-Register VGX.dll (VML parser) file, which is responsible for rendering of VML (Vector Markup Language) code in web pages, in order to prevent exploitation. Run the following command:

  • regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

About Author

Brandon Stosh is the founder and CEO of www.freedomhacker.net. Stosh is a cyber security researcher and professional consultant who strives to provide reliable news on cyber-security based topics.

4 Comments

  1. Hello Mr. Stosh,

    can you explain to me, or point me to a source, which can explain to me the relevance of VML in the context of this exploit? How does VML (or deregistering it) relate to the vulnerability?

    The attacks mentioned indicate that a swf-file is loaded and after that javascript. So if you disable javascript or flash in the browser, is the system still vulnerable if the attacker’s site displays a corrupted vector graphic?

    I would really appreciate an explanation.

    Kind regards
    Tobias

    • Hello,

      I am not sure I understand your question %100, but I’ll do my best to explain. The attacker will send the Internet Explorer user to a webpage. Lets say example.com. So attacker sends victim A to example.com. From there, Javascript is triggered and flash is activated then executing arbitrary code into the browser. I am not to sure if disabling Javascript would corrupt the graphic, but Microsoft noted that flash is activated and Javascript too. All I can detail you to would be technets and fireeyes comment, which is inside the blog post.

      But in short, the exploit relies on swf flash file to be loaded, or the Internet Explorer graphic wont load and arbitrary code cannot be executed. Not sure if this is what your asking, but thats as best I can explain in short from what I personally understand.

  2. Hello,

    thank you for your reply. You have answered my question insofar as that you confirmed that the attack “needs” flash/javascript. Some colleagues suggested that flash/javascript would not be necessary, that rendering an “infected”/corrupted vector graphic would suffice to infect a computer.

    Basically I was not sure why de-registering VGX.dll (VML parser) would help.

    Thank you for your time and have a nice day!

    • Hello again,

      And yes, I don’t think that would be possible. It has to actually load the exploit via flash, to then execute arbitrary code. There are most likely permission issues trying to attack Internet Explorer directly as its a system application, not third party.

      But concerning VGX.dll, I am not entirely sure.

      Thank you, and you have a nice one too!

Leave A Reply

Send this to friend