Flash exploit targeting Internet Explorer versions 8 through 11

Topic

New Reply

FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.

Mitigation

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

https://technet.microsoft.com/en-US/library/security/2963983

Reply | Quote

Replies

satrow,

So many videos, especially uTube, depend on the Flash Player. Constantly enabling & disabling the Flash Plugin, is a pain! Disabling the flash player plugin isn’t a good solution.

A better solution IMHO is stop using IE, it’s a dog !
There are much better browser options or choices. IE: Chrome, Comodo Dragon or Firefox to name a few. Just a thought!
They also use a Flash Plugin, their own version, so not sure if they also suffer from the exploit.
Does anyone know ?

Reply | Quote

There are much better browser options or choices. IE: Chrome, Comodo Dragon or Firefox to name a few. Just a thought!

Yes, IE is generally the best browser.

But it’s certainly now a bad choice on XP.

They also use a Flash Plugin, their own version, so not sure if they also suffer from the exploit.
Does anyone know ?

No; this current flaw is in IE, not Flash (although Flash is used by the current IE attacks).

The Microsoft Security Advisory linked above doesn’t mention Flash at all, because there could be other means of exploiting the IE flaw (in vgx.dll).

I think only IE and Chrome have their own Flash updates.

Bruce

Reply | Quote

Yes, IE is generally the best browser.

But it’s certainly now a bad choice on XP.

No; this current flaw is in IE, not Flash (although Flash is used by the current IE attacks).

The Microsoft Security Advisory linked above doesn’t mention Flash at all, because there could be other means of exploiting the IE flaw (in vgx.dll).

I think only IE and Chrome have their own Flash updates.

Bruce

Sorry Bruce..my bad. When I said IE: (meaning, for instance) Chrome etc, maybe I should have said.. EG: Chrome etc.

Internet Explorer is not my 1st choice, if ever. I only use it, when M$ updates force me to use it.
Microsoft seems to think everyone who uses IE are tech types & know what all the IE options mean. Most of those I look after, don’t have a clue what all the settings in IE mean or do ! Some of M$ explanations leave me puzzled & scratching my head & I’ve been working with the technology for 45 years..!

If you implement this M$ work around, to the letter, and don’t remember to back them out when a fix is released…. future updates will probably fail!. Great !! More hand holding for many users.

Still, I guess, something, is better than nothing, especially for XP, which is stuck with IEV8 & it is only going to get worse! The die-hard users will hang on, experiencing more & more problems from virus or malware attacks as time passes! If they suffer enough, & they will, maybe they’ll get the message ?

Reply | Quote

Sorry Bruce..my bad. When I said IE: (meaning, for instance) Chrome etc, maybe I should have said.. EG: Chrome etc.

Internet Explorer is not my 1st choice, if ever. I only use it, when M$ updates force me to use it.
Microsoft seems to think everyone who uses IE are tech types & know what all the IE options mean. Most of those I look after, don’t have a clue what all the settings in IE mean or do ! Some of M$ explanations leave me puzzled & scratching my head & I’ve been working with the technology for 45 years..!

If you implement this M$ work around, to the letter, and don’t remember to back them out when a fix is released…. future updates will probably fail!. Great !! More hand holding for many users.

Still, I guess, something, is better than nothing, especially for XP, which is stuck with IEV8 & it is only going to get worse! The die-hard users will hang on, experiencing more & more problems from virus or malware attacks as time passes! If they suffer enough, & they will, maybe they’ll get the message ?

You don’t need to use IE to run Windows update. You can switch a Firefox tab to an IE tab and run Windows Update in that tab, it is so good it even fools Microsoft. :^)

Reply | Quote

As you can enable Enhanced Protected Mode (>=IE 10), this seems to be an easy workaround, although as you will be running IE in 64 bit mode then you would also need to install the 64 bit version of Java should you use any sites that require it.

Flashplayer has also had its own problems not connected with the IE exploit and recently released a security update http://nakedsecurity.sophos.com/2014/04/29/not-to-be-outdone-by-microsoft-adobe-announces-zero-day-exploit-patch-for-flash/

http://www.adobe.com

Reply | Quote

Per the all IE versions zero day vulnerability. Below’s some info from Symantec.

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild

I did disable vgx.dll; not the first time this dll was exploited in some fashion or form, but it will be the first time that no solution for XP users will be patched.

Reply | Quote

Per the all browsers zero day vulnerability. Below’s some info from Symantec.

http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild

I did disable vgx.dll; not the first time this dll was exploited in some fashion or form, but it will be the first time that no solution for XP users will be patched.

I daresay there will be those who are already working on an exploit for XP itself.

Reply | Quote

MS have decided to patch XP against this, as well as supported OS’s, see here: http://windowssecrets.com/forums/showthread//161740-XP-has-a-new-security-patch-for-Advisory-2963983

Reply | Quote

Now also targeting IE8 on XP: “Operation Clandestine Fox” Now Attacking Windows XP Using Recently Discovered IE Vulnerability

Bruce

Reply | Quote

I got my first ever e-mail from Gibson Research (Steve Gibson) about this. I shall quote:

Web browsers are growing insanely complex. It’s pretty clear that they will be our next-generation operating platforms. And as the last annual “Pwn2Own” contest showed, none of them can currently withstand the focused attention of skilled and determined attackers, especially when some prize money is dangled on the other side of the finish line.

With most recent exploits, the path to exploitation is convoluted and complex. In this case it depends upon somehow encountering malicious Web content with IE’s ActiveScripting enabled, which loads an Adobe SWF (Shockwave FLASH) file which, in turn, uses JavaScript in this vulnerable version of IE (presently all versions of IE). But it does this via an obscure and readily disabled VML (Vector Markup Language) rendering extension.

Thus, to immediately protect any use of Internet Explorer – yes, even on creaky old WinXP (the XPocalypse has been delayed) – simply execute the following incantation using either a Windows Command Prompt or the “Run…” dialog under the Start button (if you’re lucky
enough to still have one on your Windows desktop):

regsvr32 -u “%CommonProgramFiles%Microsoft SharedVGXvgx.dll”

This unregisters (-u) the VML renderer, thus rendering it inaccessible to the exploit attempt. Your IE browser will no longer be able to render vector markup language content… but it probably never did before, anyway.
/Steve.

For 64-bit Windows:
regsvr32 -u “%CommonProgramFiles(x86)%Microsoft SharedVGXvgx.dll”

Make sure you include the end double-quote when doing the command. I haven’t seen any problems using IE (v. 11) since doing this on all 5 PCs I own.

Reply | Quote