Solved

Zero-day vulnerability for IE

Posted on 2014-04-28
8
596 Views
Last Modified: 2014-04-30
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11. Microsoft has yet to issue a patch for it.


I heard that Symantec Endpoint could protect systems from the above.

Anyone know if TrendMicro's AV or IPS could do the same?

Let me know if TrendMicro or HP Tippg Pt has released signature to detect
the above IE's vulnerability.


Any concern / impact for implementing the following :
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.

2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 110 total points
ID: 40027017
I have EMET V4.1 running (and have been using EMET since V2). EMET is an additional defense that obfuscates addresses used in applications on the computer.

For Internet Explorer, I did have to uncheck the SEHOP flags for IE in the Application window. This is a known bug and keeping SEHOP enabled causes IE to regularly "stop working"

There is no issue in setting security to "high" but you may get more blocks and pop ups stopping your activity.

I have Symantec Endpoint Protection V12.1.4a running as well.

Really, the very best defense against these things is to use common sense. These exploits are invited in by clicking on bogus links. We are not hapless victims.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 190 total points
ID: 40027540
There are other mitigations too: https://technet.microsoft.com/library/security/2963983#ID0E5FAC (unregister a dll, set active-x to prompt, modify vgx.dll acl)
EMET is a win for a lot more than IE, we discourage IE's use for our clients just because Active-x is still part of it. Flash and Java are the attack vectors on other browsers, but FF has made Java (since ff26) prompt to run by default: http://kb.mozillazine.org/Java#Java_content_requires_click-to-play_activation

You can bet most AV makers will have a signature 24-72 hours later after something like this is PoC'd or in use. But not all 0-day exploits are used, most come out after the patch, and rely on those who do not patch asap. The 0-day is easier to reverse engineer once the patch is out.
This one does appear to be active, and in targeted attacks, so it's likely the AV vendors will have a patch soon.
-rich
0
 
LVL 64

Assisted Solution

by:btan
btan earned 200 total points
ID: 40028657
Cisco is releasing IPS signature 4256-0 and Snort signatures 30794, 30803 to detect the exploitation of this vulnerability. http://blogs.cisco.com/security/ie-zero-day-and-vgx-dll/

Trend Micro side as below stated two rules
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versions-in-use/

Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

1001082 – Generic VML File Blocker

Symantec is midst to releasing similar
http://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014-1776-remote-code-execution-vulne
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:sunhux
ID: 40028762
Thanks very much for the detailed responses.

For the 2 recommendations from MS, is deploying one of them enough or
it requires both to be implemented (ie deploying one of the item below
won't be effective in mitigating it ) ?
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.
2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
 

Author Comment

by:sunhux
ID: 40028763
I have hundreds of VMs, all with affected IE : what's a quick way to
implement Option 1 that MS recommends ie set zone to High security?
0
 

Author Comment

by:sunhux
ID: 40028821
One more query: there are laptops / PCs used to connect to our servers
& these laptops/PCs' IE are affected : how do we ensure the sysadmins
(ie the users of these PCs / laptops) do not turn off/change this
'High security' setting?  Currently Tripwire is not available to us yet,
otherwise we can set it such that security team is alerted if this is changed
0
 

Author Comment

by:sunhux
ID: 40028826
Our company uses TrendAv on our laptops : is there an available signature(s)
for the laptops?

> unregister a dll, set active-x to prompt, modify vgx.dll acl
Can elaborate how the above can be done & enforced (ie so that
users can't change the mitigated settings) ?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 200 total points
ID: 40028848
Catch this from Microsoft on deploying EMET thru Enterprise, specifically go for the recommended setting
http://support.microsoft.com/kb/2458544
https://www.trustedsec.com/july-2013/emet-4-0-security-strategy-and-installation-step-by-step/

And also
-Set the  PCs  IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones .
-Updated the Adobe Flash and Reader

Or (for time being) use alternate browser instead of IE till the testing is alright in staging before pushing to all endpoint from production..

There is also a "Unregister VGX.dll". This library is required to use Vector Markup Language (VML), a now deprecated vector graphics format previously used in Microsoft Office applications. Interestingly, this is not the first time that this particular library has been implicated in vulnerabilities. There is a bat shared in Symantec post

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question