New Zero-Day Vulnerability Affects all Versions of Internet Explorer Browser

In a Security Advisory (2963983) released yesterday, Microsoft acknowledges a zero-day Internet Explorer vulnerability (CVE-2014-1776) is being used in targeted attacks by APT groups, but the currently active attacks are targeting IE9, IE10 and IE11.

Reported flaw in Internet Explorer is a Remote Code Execution vulnerability, which resides in ‘in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.‘ advisory said.

Microsoft Investigation team is currently working with FireEye Security experts, and dubbed the ongoing targeted campaign as “Operation Clandestine Fox“.

FireEye explained that an attacker could trigger the zero-day exploit through a malicious webpage that the targeted user has to access with one of the affected Internet Explorer browser.  Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the Internet Explorer in order to gain the same user rights as the current user.

Internet Explorer zero-day exploit depends upon the loading of a Flash SWF file that call for a Javascript in vulnerable version Internet Explorer to trigger the flaw, which allows the exploit to bypass Windows’ ASLR and DEP protections on the target system by exploiting the Adobe Flash plugin.

According to the advisory, currently no security patch available for this vulnerability. “Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market.” FireEye said.

Microsoft is working on a security patch for Internet Explorer vulnerability. However, you can still migrate the threat by following below given methods:

• Install Enhanced Mitigation Experience Toolkit (EMET 4.1), a free utility that helps prevent vulnerabilities in software from being successfully exploited.
• You can protect against exploitation by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting.
• Tools > Internet Options > Security > Internet > Custom Level > Under Scripting Settings > Disable Active Scripting
• Under Local intranet’s Custom Level Settings > Disable Active Scripting
• If you are using Internet Explorer 10 or the higher version, enable Enhanced Protected Mode to prevent your browser from Zero-Day Attack.
• IE Exploit will not work without Adobe Flash. So Users are advised to disable the Adobe Flash plugin within IE.
• De-Register VGX.dll (VML parser) file, which is responsible for rendering of VML (Vector Markup Language) code in web pages, in order to prevent exploitation. Run following command:
  • regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”