Microsoft Internet Explorer Zero-day - CVE-2014-1776

A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website.

This vulnerability has been assigned reference CVE-2014-1776.  The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering when Internet Explorer accesses a related object in memory which has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.

The Websense Approach

As with any vulnerability it is always best to apply vendor patches to ensure complete protection from exploit attempts.  In this instance no patch or Fix It is available from Microsoft.

So, what now? The next best thing to do is to protect from the apparatus and delivery mechanisms used by the attackers.  When reports of low volume targeted attacks surface it is often not long before the attacks become more widespread after code targeting the vulnerability is incorporated into exploit kits.

At the time of writing attack samples are sparse so we are exploring the telemetry within our ThreatSeeker® Intelligence Cloud looking for exemplars and Indicators of Compromise. We shall update this blog with additional insights as more become available, but for now it does not look like use of this vulnerability is widespread.

Websense offers protection throughout the attack life cycle using the 7 Stages of Advanced Attacks model.  Typically we see the following scenario in such instances: a user will visit a website (most likely a compromised legitimate website, rather than one specifically registered by an attacker), thus initiating a Flash file download which sets the scene for a further call to a JavaScript payload.  This in turn triggers the vulnerability in Internet Explorer.  Attackers may use the opportunity of remote code execution to launch additional components within a reconnaissance or data theft attack.

In the absence of a patch or Fix It from Microsoft various mitigation techniques are available, including:

• Most importantly do not use Administrative account for general tasks such as web-browsing. As the attacker inherits the rights of the current user, using a non-privileged account is highly advisable.
• Consider deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET v4.1) which is designed to make exploitation more difficult for attackers.
• Turn on Enhanced Protected Mode (EPM) in Internet Explorer. It is available for IE 10 and 11.
• Disabling Internet Explorer's Flash plugin will render the exploit non-functional.
• Disabling VML (unregistering vgx.dll) will turn off the vulnerable library.  You should certainly consider this if you are using Windows XP (see note below).
• For organisation's that are flexible on browser choice you should consider adopting an alternative browser to Internet Explorer, at least prior to applying a patch from Microsoft.

More information about the vulnerability, and how to implement the aforementioned mitigation factors, can be found at Microsoft Security Advisory 2963983.

Further, now Windows XP is no longer supported by Microsoft this discovery leads prompts a timely reminder to consider alternatives to this still popular operating system, to better protect from vulnerabilities affecting Windows XP users.

Websense Security Labs will continue monitoring the situation and update this blog accordingly.