Zero-day vulnerability for IE

A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11. Microsoft has yet to issue a patch for it.


I heard that Symantec Endpoint could protect systems from the above.

Anyone know if TrendMicro's AV or IPS could do the same?

Let me know if TrendMicro or HP Tippg Pt has released signature to detect
the above IE's vulnerability.


Any concern / impact for implementing the following :
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.

2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
sunhuxAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
There are other mitigations too: https://technet.microsoft.com/library/security/2963983#ID0E5FAC (unregister a dll, set active-x to prompt, modify vgx.dll acl)
EMET is a win for a lot more than IE, we discourage IE's use for our clients just because Active-x is still part of it. Flash and Java are the attack vectors on other browsers, but FF has made Java (since ff26) prompt to run by default: http://kb.mozillazine.org/Java#Java_content_requires_click-to-play_activation

You can bet most AV makers will have a signature 24-72 hours later after something like this is PoC'd or in use. But not all 0-day exploits are used, most come out after the patch, and rely on those who do not patch asap. The 0-day is easier to reverse engineer once the patch is out.
This one does appear to be active, and in targeted attacks, so it's likely the AV vendors will have a patch soon.
-rich
0
 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
I have EMET V4.1 running (and have been using EMET since V2). EMET is an additional defense that obfuscates addresses used in applications on the computer.

For Internet Explorer, I did have to uncheck the SEHOP flags for IE in the Application window. This is a known bug and keeping SEHOP enabled causes IE to regularly "stop working"

There is no issue in setting security to "high" but you may get more blocks and pop ups stopping your activity.

I have Symantec Endpoint Protection V12.1.4a running as well.

Really, the very best defense against these things is to use common sense. These exploits are invited in by clicking on bogus links. We are not hapless victims.
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Cisco is releasing IPS signature 4256-0 and Snort signatures 30794, 30803 to detect the exploitation of this vulnerability. http://blogs.cisco.com/security/ie-zero-day-and-vgx-dll/

Trend Micro side as below stated two rules
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versions-in-use/

Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

1001082 – Generic VML File Blocker

Symantec is midst to releasing similar
http://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014-1776-remote-code-execution-vulne
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
sunhuxAuthor Commented:
Thanks very much for the detailed responses.

For the 2 recommendations from MS, is deploying one of them enough or
it requires both to be implemented (ie deploying one of the item below
won't be effective in mitigating it ) ?
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.
2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
 
sunhuxAuthor Commented:
I have hundreds of VMs, all with affected IE : what's a quick way to
implement Option 1 that MS recommends ie set zone to High security?
0
 
sunhuxAuthor Commented:
One more query: there are laptops / PCs used to connect to our servers
& these laptops/PCs' IE are affected : how do we ensure the sysadmins
(ie the users of these PCs / laptops) do not turn off/change this
'High security' setting?  Currently Tripwire is not available to us yet,
otherwise we can set it such that security team is alerted if this is changed
0
 
sunhuxAuthor Commented:
Our company uses TrendAv on our laptops : is there an available signature(s)
for the laptops?

> unregister a dll, set active-x to prompt, modify vgx.dll acl
Can elaborate how the above can be done & enforced (ie so that
users can't change the mitigated settings) ?
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Catch this from Microsoft on deploying EMET thru Enterprise, specifically go for the recommended setting
http://support.microsoft.com/kb/2458544
https://www.trustedsec.com/july-2013/emet-4-0-security-strategy-and-installation-step-by-step/

And also
-Set the  PCs  IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones .
-Updated the Adobe Flash and Reader

Or (for time being) use alternate browser instead of IE till the testing is alright in staging before pushing to all endpoint from production..

There is also a "Unregister VGX.dll". This library is required to use Vector Markup Language (VML), a now deprecated vector graphics format previously used in Microsoft Office applications. Interestingly, this is not the first time that this particular library has been implicated in vulnerabilities. There is a bat shared in Symantec post

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.