All Hands On Deck: Zero-Day Reported in the Wild, Affects IE6-11

[Reefa]

It’s unusual to see a report come through on the weekend, but based on how quickly communication has been ramped-up, this one is serious enough to warrant some weekend work.

A new zero-day flaw is being reported that affects Internet Explorer versions 6 through 11, with IE9 through IE11 being actively targeted. When enacted, the vulnerability has the potential to take over the computer. Of course, as with the majority of vulnerabilities like this, it assumes the capabilities of the logged on user, which means if a user has administrative rights to the computer, the exploit will enjoy full control. I can’t reiterate enough that administrative rights for normal users is a no-no and cases like this should be enough to convince management to revoke administrative rights across the board.

Microsoft is working on a fix, however, it’s important to keep in mind that whatever patch comes available, it will not cover Windows XP. By all appearances, this is a serious flaw, and will be a first major test for unpatched Windows XP computers. The fix, once issued, will not be available publicly for Windows XP.

Here’s the applicable information about this new zero-day flaw:

Microsoft Security Advisory 2963983

More Details about Security Advisory 2963983 IE 0day

FireEye: New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks

The flaw uses a hole in Adobe Flash. For workarounds, Microsoft is promoting EMET with a specific configuration and also suggesting disabling VML in Internet Explorer and running IE in "Enhanced Protected Mode."

Source

[shamu726]

What you can do against Internet Explorer’s latest 0-day vulnerability (April 2014)

Microsoft released a security advisory on Saturday that offers information about a recently disclosed vulnerability affecting all versions of the company's web browser Internet Explorer.

Microsoft is aware of limited attacks targeting Internet Explorer, and that a successful exploit of it allows remote code execution on the affected system.

According to the information, users need to visit a malicious website for that to happen, which usually happens when users click on links in emails, but also other websites that link to the exploit pages directly.

What's interesting in this regard is that Internet Explorer 6 to Internet Explorer 11 are affected by this, but that attacks seem to concentrate on IE9 to IE11 currently.

While that is the main target right now, the situation looks dire for Windows XP users as a patch won't be released for the operating system.

This means in effect that Internet Explorer should not be used anymore on that system.

Mitigation

It is possible to mitigate the attack, and you have several options to do so.

Different browser

Don't use Internet Explorer until it is patched. This is the most obvious choice but it may not always be possible depending on your work environment. But if you can run other browsers on your system, use them instead for the time being. Firefox is a great choice.

Enhanced Protected Mode

If you are using Internet Explorer 10 or 11 with Enhanced Protected Mode enabled, you are safe as it breaks the exploit. To check if it is enabled on your system do the following:

1. Open Internet Explorer on your system.
2. Tap on the Alt-key on your keyboard and select Tools > Internet Options.
3. Switch to the Advanced tab here and make sure Enhanced Protected Mode is enabled under Security here. You find it near the bottom of the listing.

Microsoft Enhanced Mitigation Experience Toolkit

Microsoft's EMET versions 4.1 and 5.0 (currently available as a Tech Preview) break the exploit as well. Note that Emet 4.1 is compatible with Windows XP Service Pack 3 while version 5.0 is not, as it supports only Windows Vista and newer.

All you have to do is install the program on your system to protect it against the vulnerability.

Adobe Flash

According to security company Fireeye, disabling Flash in Internet Explorer will prevent the exploit from functioning as well as it appears to require Flash for its proper execution.

To disable Adobe Flash in Internet Explorer, do the following (this is demoed using IE11, other versions may vary)

1. Open Microsoft's Internet Explorer browser.
2. Tap on the Alt-key and select Tools > Manage Add-ons.
3. Locate Shockwave Flash Object under Toolbars and Extensions and click on the item.
4. Click on the disable button to block it from running in Internet Explorer.

Alternatively, uninstall the Internet Explorer Flash plugin using the Control Panel.

Source

Edited April 28, 2014 by shamu726

[shamu726]

For XP users:

Security experts claim that disabling the VGX.dll, which according to Microsoft is responsible for rendering of VML (Vector Markup Language) code in webpages, could be the easiest way to keep your computer fully protected, but moving to another browser is always the fastest method to avoid getting hacked:

“This happened a bit quicker than I expected but it is a sign of things to come: the vulnerability applies to Windows XP, IE6, IE7 and IE8 are listed as affected and attackers will soon adapt the exploit to work against these older versions of IE as well. Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems."

If you'd like to deregister the vulnerable DLL file, open a Command Prompt window with administrator privileges and run the following command:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Source

[anuseems]

Microsoft on Saturday told customers that cyber-criminals are exploiting an unpatched and critical vulnerability in Internet Explorer (IE) using "drive-by" attacks

From Computerworld:

According to Microsoft, the attacks have been launched against IE users tricked into visiting malicious websites. Such attacks, dubbed "drive-bys," are among the most dangerous because a vulnerable browser can be hacked as soon as its user surfs to the URL.

All currently-supported versions of IE are at risk, Microsoft said, including 2001's IE6, which still receives patches on Windows Server 2003. The same browser will not be repaired on Windows XP, as the operating system was retired from patch support on April 8.

http://www.computerworld.com/s/article/9247940/Hackers_find_first_post_retirement_Windows_XP_related_vulnerability

Edited April 28, 2014 by anuseems

[Sonar]

more will follow - poor IE/xp

[dMog]

wow totally unexpected news... :lol:

[banned]

Anybody ever heard of Firefox, Opera, Chrome, etc? Derp derp

[banned]

For XP users:

Yeah, there's handful of ways to prevent this vulnerability on XP. No concern here, as I don't use IE.

I've long ago set my Internet zone to high security, which would also prevent this..

This means in effect that Internet Explorer should not be used anymore on that system.

It's good advice, but not entirely correct. IE can still be used for work purposes. Just don't surf the web logged in as Administrator. Switch to a limited user account.

Edited April 29, 2014 by banned

[CPowell46]

Of course, it's not an "XP-related vulnerability" at all. It's an IE vulnerability, and Microsoft has chosen to release a patch that won't work for XP, but will work for Vista, 7, and 8. Must have taken some effort to arrange that.

[rudrax]

The hacker is MSFT guys themselves. They know their thing as they have made it afterall.

The black market will patch it soon, I guess.

[cyberber]

Am I glad that Microsoft will not make a fix for this let them suffer.

[Mr Orus]

Threads merged.