How to Mitigate IE 0day (Security Advisory 2963983)

What about this 0day?

After some busy weeks with Heartbleed and XP on newsfeeds, Twitter and other places it’s time for the next one; JAI0D. Just another IE 0day. Microsoft published 2 days ago a security advisory 2963983 which acknowledges limited exploits against a 0-day vulnerability in Internet Explorer (IE). The vulnerability CVE-2014-1776 affects all versions of IE starting with version 6 and including version 11, but the currently (known) attacks are affecting IE9, IE10 and IE11.



https://technet.microsoft.com/library/security/2963983

Microsoft has been working closely with FireEye to investigate this report of a vulnerability which was found used in very limited targeted attack and created an advisory on how to mitigate this attack. As for the attack the vulnerability is a “use-after-free” memory corruption and the exploit observed seems to target IE9, IE10 and IE11 while the exploit relies deeply on two other components to successfully trigger code execution in presence of VML and Flash components.

Dafuq, but why is VML enabled anyway? It’s old and long-ago deprecated, Microsoft should make an option for it in settings and disable the feature in my opinion, it has been an pwnd before so no need to let it be enabled.

For more technical information on how the payload basically tried to make memory at 0×18184000 executable, and to return to 0x1818411c to execute the shellcode check out the FireEye website here: http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

Solution

Microsoft has revised it’s advisory but as for now there are 4 solutions which can be used in order to migitate this 0day. You can choose your prefered solution, I’ve chosen the one with unregistering vgx.dll. Solutions here:

  • EMET 4.0 / 4.1: all mitigations enabled, deephooks/antidetour enabled
  • EMET 5.0TP: all mitigations enabled (including ASR/EAF+), deephooks/antidetour enabled
  • Unregister vgx.dll
  • Run Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings


So why no “Enhanced Protected Mode”? Well some customers still run IE9, some have IE10 and others have IE11. This fix would not cover all the browsers. Another thing is that, and I sure think “Enhanced Protected Mode” is great future, not all plugins work with EPM. For example when using a x86 IE browser Oracle and Windows say: “Install JAVA x86 plugin”. But after enabling the plugin it will be displayed as incompatible, meh.

Unregister vgx.dll

As for unregistering the vgx.dll it can easily be done by entering (elevated) the following command(s):

  • x86 Windows systems
    regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
  • x64 Windows systems
    regsvr32 -u "%CommonProgramFiles (x86)%\Microsoft Shared\VGX\vgx.dll"
    regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"


Impact? None, your IE browser will just not be able rto ender these Vector Markup Language content, but it’s hardly being used, so who cares ;–)

When using Citrix there’s an easy way to deploy these scripts, you should definately use Installation Manager for it. Easily add a commandline task, create a .CMD file, enter the following command and target all you Citrix servers:

%SYSTEMROOT%\System32\Cmd.exe /c "\\remoteserver$\unregister_vgx_dll.cmd"

Check



And here a working version:



  • It’s also possible to search your Windows System for a specific registry entry, AFTER the unregistering you won’t be able to find this key:


So is IE still safe?

I won’t say IE is unsafe, you can mitigate this exploit but what if you use old Adobe Flash and JAVA plugins, you’re still a victim in any way. Update all these plugins! Also try to enable “Enhanced Protected Mode” and ALWAYS make sure your users cannot run .EXE files without your permissions (by enabling Software Restriction Policy).

As long as we use webbrowsers attackers will always try to find- and use the 0days but I won’t say another browser like Google Chrome or Mozilla Firefox will make us saver, as many people suggest. Check out the browser security for example (NSS): https://www.nsslabs.com/system/files/public-report/files/Browser%20Security%20Comparative%20Analysis%20-%20Socially%20Engineered%20Malware.pdf. You can choose whatever browser you like, just to get rid of the flaws in IE, but aren’t you creating a new security risk? Well I think you are.

Comments