Qualys Blog

www.qualys.com
wkandek

New Internet Explorer 0-day out in the Wild – Update

Update 2: Microsoft just published KB2934088 which acknowledges the vulnerability in Internet Explorer 9 and 10 and publishes a Fixit, that uses the MSHTML Shim mechanism to patch Internet Explorer. MSHTML Shim was originally developed for application compatibility, but has been successfully used for a number of security problems in the past year. Microsoft has a post at their SRD blog that explains vulnerable versions, plus the defensive options available.

Update: It seems both Internet Explorer 9 and 10 are affected. That equates to a large share of all users, just over 30 %. Implementing EMET makes a lot of sense, since it has deflects this attack and has countred last year the known 0-days of this type last as well.

Original: On Patch Tuesday, when Microsoft released new versions of Internet Explorer (6-11) addressing 24 vulnerabilities, FireEye detected a previously unknown attack on IE10 at the website of the Veterans of Foreign Wars (vfw.org). The attack is using a Adoeb Flash Object to setup the environment for the rest of the exploit. Currently this 0-day vulnerability (CVE-2014-0322) only applies to Internet Explorer 10, other versions are not affected. EMET, as many times during the IE 0-days of last year, is also successful in preventing the exploit from running successfully, but this time because it actually checks for its presence and aborts if EMET is found.

Stay tuned for more updates.

Leave a Reply