Solved

Zero-day vulnerability for IE

Posted on 2014-04-28
8
572 Views
Last Modified: 2014-04-30
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11. Microsoft has yet to issue a patch for it.


I heard that Symantec Endpoint could protect systems from the above.

Anyone know if TrendMicro's AV or IPS could do the same?

Let me know if TrendMicro or HP Tippg Pt has released signature to detect
the above IE's vulnerability.


Any concern / impact for implementing the following :
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.

2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
Comment
Question by:sunhux
8 Comments
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 110 total points
ID: 40027017
I have EMET V4.1 running (and have been using EMET since V2). EMET is an additional defense that obfuscates addresses used in applications on the computer.

For Internet Explorer, I did have to uncheck the SEHOP flags for IE in the Application window. This is a known bug and keeping SEHOP enabled causes IE to regularly "stop working"

There is no issue in setting security to "high" but you may get more blocks and pop ups stopping your activity.

I have Symantec Endpoint Protection V12.1.4a running as well.

Really, the very best defense against these things is to use common sense. These exploits are invited in by clicking on bogus links. We are not hapless victims.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 190 total points
ID: 40027540
There are other mitigations too: https://technet.microsoft.com/library/security/2963983#ID0E5FAC (unregister a dll, set active-x to prompt, modify vgx.dll acl)
EMET is a win for a lot more than IE, we discourage IE's use for our clients just because Active-x is still part of it. Flash and Java are the attack vectors on other browsers, but FF has made Java (since ff26) prompt to run by default: http://kb.mozillazine.org/Java#Java_content_requires_click-to-play_activation

You can bet most AV makers will have a signature 24-72 hours later after something like this is PoC'd or in use. But not all 0-day exploits are used, most come out after the patch, and rely on those who do not patch asap. The 0-day is easier to reverse engineer once the patch is out.
This one does appear to be active, and in targeted attacks, so it's likely the AV vendors will have a patch soon.
-rich
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 40028657
Cisco is releasing IPS signature 4256-0 and Snort signatures 30794, 30803 to detect the exploitation of this vulnerability. http://blogs.cisco.com/security/ie-zero-day-and-vgx-dll/

Trend Micro side as below stated two rules
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versions-in-use/

Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

1001082 – Generic VML File Blocker

Symantec is midst to releasing similar
http://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014-1776-remote-code-execution-vulne
0
 

Author Comment

by:sunhux
ID: 40028762
Thanks very much for the detailed responses.

For the 2 recommendations from MS, is deploying one of them enough or
it requires both to be implemented (ie deploying one of the item below
won't be effective in mitigating it ) ?
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.
2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 

Author Comment

by:sunhux
ID: 40028763
I have hundreds of VMs, all with affected IE : what's a quick way to
implement Option 1 that MS recommends ie set zone to High security?
0
 

Author Comment

by:sunhux
ID: 40028821
One more query: there are laptops / PCs used to connect to our servers
& these laptops/PCs' IE are affected : how do we ensure the sysadmins
(ie the users of these PCs / laptops) do not turn off/change this
'High security' setting?  Currently Tripwire is not available to us yet,
otherwise we can set it such that security team is alerted if this is changed
0
 

Author Comment

by:sunhux
ID: 40028826
Our company uses TrendAv on our laptops : is there an available signature(s)
for the laptops?

> unregister a dll, set active-x to prompt, modify vgx.dll acl
Can elaborate how the above can be done & enforced (ie so that
users can't change the mitigated settings) ?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 40028848
Catch this from Microsoft on deploying EMET thru Enterprise, specifically go for the recommended setting
http://support.microsoft.com/kb/2458544
https://www.trustedsec.com/july-2013/emet-4-0-security-strategy-and-installation-step-by-step/

And also
-Set the  PCs  IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones .
-Updated the Adobe Flash and Reader

Or (for time being) use alternate browser instead of IE till the testing is alright in staging before pushing to all endpoint from production..

There is also a "Unregister VGX.dll". This library is required to use Vector Markup Language (VML), a now deprecated vector graphics format previously used in Microsoft Office applications. Interestingly, this is not the first time that this particular library has been implicated in vulnerabilities. There is a bat shared in Symantec post

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Virus On motherboard 6 42
Question on security Audit 2 92
What is a hashed password and/or MD5? 5 61
Successful Penetration Tests case study 3 58
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now