Solved

Zero-day vulnerability for IE

Posted on 2014-04-28
8
567 Views
Last Modified: 2014-04-30
A new Zero-day vulnerability was discovered on Saturday, 26 April for Internet Explorer
 (IE) version 6 to 11. Microsoft has yet to issue a patch for it.


I heard that Symantec Endpoint could protect systems from the above.

Anyone know if TrendMicro's AV or IPS could do the same?

Let me know if TrendMicro or HP Tippg Pt has released signature to detect
the above IE's vulnerability.


Any concern / impact for implementing the following :
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.

2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
Comment
Question by:sunhux
8 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 110 total points
Comment Utility
I have EMET V4.1 running (and have been using EMET since V2). EMET is an additional defense that obfuscates addresses used in applications on the computer.

For Internet Explorer, I did have to uncheck the SEHOP flags for IE in the Application window. This is a known bug and keeping SEHOP enabled causes IE to regularly "stop working"

There is no issue in setting security to "high" but you may get more blocks and pop ups stopping your activity.

I have Symantec Endpoint Protection V12.1.4a running as well.

Really, the very best defense against these things is to use common sense. These exploits are invited in by clicking on bogus links. We are not hapless victims.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 190 total points
Comment Utility
There are other mitigations too: https://technet.microsoft.com/library/security/2963983#ID0E5FAC (unregister a dll, set active-x to prompt, modify vgx.dll acl)
EMET is a win for a lot more than IE, we discourage IE's use for our clients just because Active-x is still part of it. Flash and Java are the attack vectors on other browsers, but FF has made Java (since ff26) prompt to run by default: http://kb.mozillazine.org/Java#Java_content_requires_click-to-play_activation

You can bet most AV makers will have a signature 24-72 hours later after something like this is PoC'd or in use. But not all 0-day exploits are used, most come out after the patch, and rely on those who do not patch asap. The 0-day is easier to reverse engineer once the patch is out.
This one does appear to be active, and in targeted attacks, so it's likely the AV vendors will have a patch soon.
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
Comment Utility
Cisco is releasing IPS signature 4256-0 and Snort signatures 30794, 30803 to detect the exploitation of this vulnerability. http://blogs.cisco.com/security/ie-zero-day-and-vgx-dll/

Trend Micro side as below stated two rules
http://blog.trendmicro.com/trendlabs-security-intelligence/internet-explorer-zero-day-hits-all-versions-in-use/

Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

1001082 – Generic VML File Blocker

Symantec is midst to releasing similar
http://www.symantec.com/connect/blogs/emerging-threat-microsoft-internet-explorer-zero-day-cve-2014-1776-remote-code-execution-vulne
0
 

Author Comment

by:sunhux
Comment Utility
Thanks very much for the detailed responses.

For the 2 recommendations from MS, is deploying one of them enough or
it requires both to be implemented (ie deploying one of the item below
won't be effective in mitigating it ) ?
1.       Install EMET 4.1 which helps to mitigate the exploitation of this vulnerability.
2.       Set IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:sunhux
Comment Utility
I have hundreds of VMs, all with affected IE : what's a quick way to
implement Option 1 that MS recommends ie set zone to High security?
0
 

Author Comment

by:sunhux
Comment Utility
One more query: there are laptops / PCs used to connect to our servers
& these laptops/PCs' IE are affected : how do we ensure the sysadmins
(ie the users of these PCs / laptops) do not turn off/change this
'High security' setting?  Currently Tripwire is not available to us yet,
otherwise we can set it such that security team is alerted if this is changed
0
 

Author Comment

by:sunhux
Comment Utility
Our company uses TrendAv on our laptops : is there an available signature(s)
for the laptops?

> unregister a dll, set active-x to prompt, modify vgx.dll acl
Can elaborate how the above can be done & enforced (ie so that
users can't change the mitigated settings) ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
Comment Utility
Catch this from Microsoft on deploying EMET thru Enterprise, specifically go for the recommended setting
http://support.microsoft.com/kb/2458544
https://www.trustedsec.com/july-2013/emet-4-0-security-strategy-and-installation-step-by-step/

And also
-Set the  PCs  IE’s Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones .
-Updated the Adobe Flash and Reader

Or (for time being) use alternate browser instead of IE till the testing is alright in staging before pushing to all endpoint from production..

There is also a "Unregister VGX.dll". This library is required to use Vector Markup Language (VML), a now deprecated vector graphics format previously used in Microsoft Office applications. Interestingly, this is not the first time that this particular library has been implicated in vulnerabilities. There is a bat shared in Symantec post

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now