Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Over the weekend, Microsoft released Security Advisory 2963983 which describes a new zero-day vulnerability found in Internet Explorer. (It has also been assigned the CVE designation CVE-2014-1776.)

    This remote code execution vulnerability allows an attacker to run code on a victim system if the user visits a website under the control of the attacker. While attacks are only known against three IE versions (IE 9-11), the underlying flaw exists in all versions of IE in use today (from IE 6 all the way to IE 11).

    Serious as this vulnerability is, it’s not all bad news. First of all, the vulnerability is only able to run code with the same privileges as the logged-in user. Therefore, if the user’s account does not have administrator rights, the malicious code will not run with them either, partially reducing the risk. (Of course, this is only true if the user’s account isn’t set up as an administrator.)

    Secondly, some workarounds have been provided by Microsoft as part of their advisory; of these enabling Enhanced Protected Mode (an IE10 and IE11-only feature) is the easiest to do. In addition, the exploit code requires Adobe Flash to work, so disabling or removing the Flash Player from IE also reduces the risk from this vulnerability as well.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of April 28, 2014, 12:30 P.M. PDT

    End of support for any software, OS or not, leaves users and organizations more vulnerable to threats. However, there are some solutions that can help address or mitigate this dilemma. Virtual patching can complement traditional patch management strategies as it can “virtually patch” affected systems before actual patches are made available. Another benefit is that it can “virtually patch” unsupported applications. For example, Trend Micro Deep Security has been supporting Windows 2000 vulnerabilities even beyond its end of support.

    It should be noted that the Enhanced Mitigation Experience Toolkit (EMET) can also help mitigate attacks that may exploit this particular vulnerability. This toolkit prevents software vulnerabilities from being exploited through several security mitigation technologies. According to the Microsoft advisory, “EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.”

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)

    They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

    • 1001082 – Generic VML File Blocker

    Update as of April 28, 2014, 6:10 P.M. PDT

    As we mentioned earlier, this vulnerability is now designated as CVE-2014-1776. It is due to the way Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated (a use-after-free condition). Successful exploitation allows an attacker to execute arbitrary code in the context of the current user.

    To mitigate this threat, Microsoft suggests to unregister VGX.DLL, which is responsible for rendering of VML (Vector Markup Language) code in webpages.

    The vulnerability is exploited when victim opens specially crafted webpages using Internet Explorer. Users can be convinced to open these sites via clickable links in specially crafted emails or instant messages. An Adobe Flash file embedded in these malicious sites is used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections on the target system.

    As we mentioned earlier, we provide two rules that protect users against this threat. Not only will these rules help reduce the threat until a patch is provided by Microsoft, it will also protect unsupported OSes, such as Windows XP.

    Additional analysis by Pavithra Hanchagaiah.

    Update as of April 30, 2014, 4:25 AM PDT

    To further protect users from this threat, we have released the following additional heuristic solutions for this threat:

    • For Deep Discovery, NCIP 1.12083.00 and NCCP 1.12053.00 provide additional protection as well.
    • Our browser exploit prevention technology (present in Titanium 7) has rules that detect websites that contain exploits related to this vulnerability.

    To help administrators investigate if this threat is affecting their networks, products with  ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFHS.A and HEUR_SWFJIT.B in the ATSE pattern 9.755.1107 since April 22.

    Update as of May 1, 2014, 5:33 AM PDT

    We have also released the following additional solution for this threat:

    • OPR 10.767.00 provides additional heuristic capabilities to help detect malicious scripts that take advantage of this vulnerability.

    Update as of May 1, 2014, 7:15 AM PDT

    The original version of this post mentioned modifying the ACL for VGX.DLL, based on recommendations from Microsoft. Microsoft has modified their guidance, and the blog post has been modified accordingly.

    Update as of May 1, 2014, 11:03 AM PDT

    The original version of this post mentioned that Windows XP will not be receiving a patch for this vulnerability. Microsoft has just released a security update (MS14-021) for this vulnerability, including one for Windows XP. This blog post has been modified accordingly.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • jjrbg

      “This is the first vulnerability affecting Windows XP that will not be patched.” – this is incorrect. Microsoft released a patch last night which includes support for XP.

      • AT

        “Update as of May 1, 2014, 11:03 AM PDT

        The original version of this post mentioned that Windows XP will not be receiving a patch for this vulnerability. Microsoft has just released a security update (MS14-021) for this vulnerability, including one for Windows XP. This blog post has been modified accordingly.”

    • jjrbg

      Can Trend Micro AV block this exploit? Not DPI or Discovery or Virtual Patching but the plain old anti-virus client?

      • Phil Gross

        Not the exploit itself, but any mal that tries to run should be detected & nullified

    • Azs Mor

      What version of Officescan client (Definition) can detect and block this attack ?

    • Mike

      Who says this won’t be patched? It’s an IE problem, not an XP problem. IE is still getting updates, whether you’re on XP or 7 or 8.

      • DannyL

        Because IE 8 is only available in XP, not Win7/8 and is end of support itself.

      • Yuhong Bao

        Except that each IE and Windows version needs its own update package. Go look at a IE cumulative security update bulletin.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice