Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Community Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IE Zero Day Advisory from Microsoft

Microsoft released a Security Advisory yesterday(1) which impacts Internet Explorer versions 6 through 11, taking advantage of a vulnerability in Flash.  The Microsoft advisory notes  that ??The vulnerability is a remote code execution vulnerability. ? The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.? 

This exploit is currently being seen in limited attacks at this time against versions IE9-IE11, according to the security vendor Fireeye(2), who is working with MS at this time.  At the time of this writing, a patch is not yet available.

Actions to take to limit the impact of the vulnerability:

- Install EMET . According to Fireeye's testing, EMET 4.1 and 5 do break the exploit.

- Disable Flash . Note that IE 10 and later on Windows 8 do include Flash. But you can still disable it. This is an IE vulnerability but Flash is needed to exploit it and bypass some of the protection techniques implemented in newer versions of IE/Windows.

- Enable the Internet Explorer "Enhanced Protection Mode" (EPM) which became available in Internet Explorer 10. But it may break some plugins.

 

(1)https://technet.microsoft.com/en-US/library/security/2963983

(2)http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html


tony d0t carothers --gmail

tony

141 Posts
ISC Handler
It should be noted that the Enhanced Protection Mode is under the Advanced Tab (the last tab) in settings lower down under security, as there is something similarly named that is on by default in the first tab...
Anonymous

24 Posts
Microsoft states that Windows Server 2003 is affected, but doesn't mention Windows XP at all, even though it's almost certainly affected too.

Is this the first official non-patch event for XP?
Mike Donovan

3 Posts
Another possibility for mitigating this in Domain environments would be to disable Flash via Group Policy. Details here -
http://social.technet.microsoft.com/wiki/contents/articles/11406.how-to-disable-internet-explorer-ie-add-ons-through-group-policy.aspx
toymaster

13 Posts
Does the new flash player v13.0.0.206 that came out very recently address this at all?
K-Dee

50 Posts
Doesn't look like it: https://helpx.adobe.com/security/products/flash-player/apsb14-13.html

Looks like that Adobe Flash update is to address a different CVE (CVE-2014-0515).
Anonymous

1 Posts
With EMET 4.1 installed launching IE causes Sophos Anti-Virus to quarantine IE due to a Buffer Overflow. I guess stopping IE from starting is one way to secure it.
Anonymous

1 Posts
I've read that this is explicitly NOT covered by EMET 3.0, how about EMET 4.0? Can anyone confirm?
Anonymous

10 Posts
CORRECTION: This is what happens when I don't check all the details. As Anonymous commented re the Sophos article, the Adobe fix referred to a different CVE number (CVE-2014-0515) than the MS 0-day CVE (CVE-2014-1776). I mistook the references in the Adobe announcement to refer to the MS 0-day when in fact the actual CVE was entirely different. Mea culpa :(


INCORRECT:
===============
K-Dee, yes the 13.0.0.206 update is explicitly about this vulnerability. See:

http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

"Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform."
===============
T

29 Posts
The MS blog only mentions EMET 4.1 and EMET 5.0, so I would assume anything earlier doesn't protect you.

Mike: I would say yes, this is the first "XP" issue that will go unpatched (unless you paid).
Jim

375 Posts
ISC Handler
BTW, this is the MS blog I was referring to blogs.technet.com/b/srd/archive/2014/04/26/…
Jim

375 Posts
ISC Handler
Has anyone tried the workaround in the MS security advisory that unregisters VGX.DLL and stops IE from rendering VML?
KeizerBill

4 Posts
Quoting T:K-Dee, yes the 13.0.0.206 update is explicitly about this vulnerability. See:

http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

"Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform."


According Adobe, Macs & Linux are vulnerable also!
RichH

8 Posts
Quoting T:K-Dee, yes the 13.0.0.206 update is explicitly about this vulnerability. See:

http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

"Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform."


No, I think the flash patch addresses a different issue. That's what a number of articles on the web are saying, anyhow - e.g. http://nakedsecurity.sophos.com/2014/04/29/not-to-be-outdone-by-microsoft-adobe-announces-zero-day-exploit-patch-for-flash/

So it sounds like even with this Flash patch deployed, you are still vulnerable to the IE issue.
Anonymous

3 Posts
So here we sit, in 2014, with Yet Another Flash Vulnerability, and there is still no viable or marketable alternative to Flash. Why not???
Anonymous

2 Posts
Sophos naked security seems to indicate the latest IE zero day and the flash patch issued on 4/28 are unrelated.

http://nakedsecurity.sophos.com/2014/04/29/not-to-be-outdone-by-microsoft-adobe-announces-zero-day-exploit-patch-for-flash/
Adobe's newly-announced Flash exploit is unrelated: APSB14-13 is a bug in Flash itself that apparently allows remote code execution.
TexISO

15 Posts
@Mike Donovan

They do not mention XP because as far as they are concerned XP does not exist anymore, so yes this is the first security bug that will not be patched.

That is unless you signed a support contract with them and are willing to pay big bucks for updates and patches.

Or are using XP embedded which is still supported.
PW

41 Posts
The vuln topic for this diary entry was CVE-2014-1776, not CVE-2014-0515...
Anonymous

9 Posts
Quoting PW:@Mike Donovan

They do not mention XP because as far as they are concerned XP does not exist anymore, so yes this is the first security bug that will not be patched.

That is unless you signed a support contract with them and are willing to pay big bucks for updates and patches.

Or are using XP embedded which is still supported.


But the vulnerability is in IE 6-11, versions 8 through 11 are still supported and version 8 is the same on 2003 as it is on XP, thus a patch for IE 8 is likely to be forthcoming. Wouldn't count on IE 6-7 but then again, MS has provided updates for these two recently as well.
Alan

56 Posts
Any tips on how to test EMET against this Vulnerability? Metasploit doesn't have the content yet as per the past Monday.

Thanks.
Anonymous

1 Posts
Out of Band Patch to be issued at noon Central time on 5/1

https://technet.microsoft.com/en-us/library/security/ms14-may.aspx
TexISO

15 Posts

Sign Up for Free or Log In to start participating in the conversation!