Update2: MS14-021 has now been published. Note that differently from a normal update it is not cumulative (i.e. it only addresses this particular vulnerability CVE-2014-1776, which is common for an out-of-band update such as this one) and it is recommended to install the latest cumulative update before applying MS14-021, i.e. MS14-018 for most versions of Windows, but MS14-012 for IE11 on Windows 7 and Windows 8.
While attacks continue to be targeted, we recommend installing this update as soon as possible, rather than waiting 2 weeks for next Patch Tuesday.
Update: Microsoft will release an out-of-band patch for Internet Explorer later today, and it will include an update for Windows XP. Good news for users of the operating system that went EOL last month. Stay tuned for more news.
Original: Microsoft just published security advisory 2963983 which acknowledges limited exploits against a 0-day vulnerability in Internet Explorer (IE). The vulnerability CVE-2014-1776 affects all versions of IE starting with version 6 and including version 11, but the currently active attacks are targeting IE9, IE10 and IE11. The attack vector is a malicious web page that the targeted user has to access with one of the affected browsers.
EMET 4.1 is effective against in defending against the attack. EMET, the Enhanced Mitigation Experience Toolkit is a free toolkit that Microsoft maintains and updates frequently with new defensive security technology. Another one of the work-arounds suggested by Microsoft is the advisory is to disable VGX.dll which is responsible for rendering of VML (Vector Markup Language) code in webpages. VML was last patched in 2013 with MS13-010.
VML is only infrequently used on the web, so disabling it in IE is the best way to prevent exploitation, You can deregister the flawed DLL by running the following command on all systems:
- regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
Note: on 64 bit systems also run:
- regsvr32 -u "%CommonProgramFiles (x86)%\Microsoft Shared\VGX\vgx.dll"
Windows XP users – this happened a bit quicker than I expected but it is a sign of things to come: the vulnerability applies to Windows XP, IE6, IE7 and IE8 are listed as affected and attackers will soon adapt the exploit to work against these older versions of IE as well. Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems. BTW, Microsoft still lists IE6, IE7 and IE8 in these advisories because they run under Windows 2003, which has another year of support left in it.
FireEye has some further information on their blog on the exploit, which seems to use Adobe Flash as an auxiliary to bypass DEP and ASLR protections on the target system.
Qualys IDs 100191 for IE6-10 and 100192 for IE 11 detect this vulnerability.
Stay tuned for more updates.