Solved

Zero-day vulnerability for IE

Posted on 2014-04-28
8
590 Views
Last Modified: 2014-04-30
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11. Microsoft has yet to issue a patch for it.


I heard that Symantec Endpoint could protect systems from the above.

Anyone know if TrendMicro's AV or IPS could do the same?

Let me know if TrendMicro or HP Tippg Pt has released signature to detect
the above IE's vulnerability.


Any concern / impact for implementing the following :
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.

2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 110 total points
ID: 40027017
I have EMET V4.1 running (and have been using EMET since V2). EMET is an additional defense that obfuscates addresses used in applications on the computer.

For Internet Explorer, I did have to uncheck the SEHOP flags for IE in the Application window. This is a known bug and keeping SEHOP enabled causes IE to regularly "stop working"

There is no issue in setting security to "high" but you may get more blocks and pop ups stopping your activity.

I have Symantec Endpoint Protection V12.1.4a running as well.

Really, the very best defense against these things is to use common sense. These exploits are invited in by clicking on bogus links. We are not hapless victims.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 190 total points
ID: 40027540
There are other mitigations too: https://technet.microsoft.com/library/security/2963983#ID0E5FAC (unregister a dll, set active-x to prompt, modify vgx.dll acl)
EMET is a win for a lot more than IE, we discourage IE's use for our clients just because Active-x is still part of it. Flash and Java are the attack vectors on other browsers, but FF has made Java (since ff26) prompt to run by default: http://kb.mozillazine.org/Java#Java_content_requires_click-to-play_activation

You can bet most AV makers will have a signature 24-72 hours later after something like this is PoC'd or in use. But not all 0-day exploits are used, most come out after the patch, and rely on those who do not patch asap. The 0-day is easier to reverse engineer once the patch is out.
This one does appear to be active, and in targeted attacks, so it's likely the AV vendors will have a patch soon.
-rich
0
 
LVL 63

Assisted Solution

by:btan
btan earned 200 total points
ID: 40028657
Cisco is releasing IPS signature 4256-0 and Snort signatures 30794, 30803 to detect the exploitation of this vulnerability. http://blogs.cisco.com/security/ie-zero-day-and-vgx-dll/

Trend Micro side as below stated two rules
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versions-in-use/

Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

1001082 – Generic VML File Blocker

Symantec is midst to releasing similar
http://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014-1776-remote-code-execution-vulne
0
SuperAntiSpyware Licenses Discounted by 25% !

Exclusive offer to Experts Exchange Members!
Buy SuperAntiSpyware License(s) from us and save 25% on the regular purchase price.
- Includes Full SuperAntiSpyware Vendor Support Entitlements
- Your Subscription does not begin until you activate your license
- Buy for your friends

 

Author Comment

by:sunhux
ID: 40028762
Thanks very much for the detailed responses.

For the 2 recommendations from MS, is deploying one of them enough or
it requires both to be implemented (ie deploying one of the item below
won't be effective in mitigating it ) ?
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.
2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
 

Author Comment

by:sunhux
ID: 40028763
I have hundreds of VMs, all with affected IE : what's a quick way to
implement Option 1 that MS recommends ie set zone to High security?
0
 

Author Comment

by:sunhux
ID: 40028821
One more query: there are laptops / PCs used to connect to our servers
& these laptops/PCs' IE are affected : how do we ensure the sysadmins
(ie the users of these PCs / laptops) do not turn off/change this
'High security' setting?  Currently Tripwire is not available to us yet,
otherwise we can set it such that security team is alerted if this is changed
0
 

Author Comment

by:sunhux
ID: 40028826
Our company uses TrendAv on our laptops : is there an available signature(s)
for the laptops?

> unregister a dll, set active-x to prompt, modify vgx.dll acl
Can elaborate how the above can be done & enforced (ie so that
users can't change the mitigated settings) ?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 200 total points
ID: 40028848
Catch this from Microsoft on deploying EMET thru Enterprise, specifically go for the recommended setting
http://support.microsoft.com/kb/2458544
https://www.trustedsec.com/july-2013/emet-4-0-security-strategy-and-installation-step-by-step/

And also
-Set the  PCs  IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones .
-Updated the Adobe Flash and Reader

Or (for time being) use alternate browser instead of IE till the testing is alright in staging before pushing to all endpoint from production..

There is also a "Unregister VGX.dll". This library is required to use Vector Markup Language (VML), a now deprecated vector graphics format previously used in Microsoft Office applications. Interestingly, this is not the first time that this particular library has been implicated in vulnerabilities. There is a bat shared in Symantec post

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question