Microsoft updates four key workarounds for Internet Explorer 0day attacks

Microsoft has released a new and broader list of strategies that admins can take to minimise the impact of attacks against the flaw affecting all versions of Internet Explorer.

In the absence of a patch, two ways to neuter known attacks on the previously unseen flaw in IE 6 to 11 (CVE-2014-1776) are disabling Flash in IE; or, as some government CERTs have suggested, using another browser like Chrome or Firefox.

For organisations that can’t do either, Microsoft did in its Saturday advisory provide several strategies to mitigate known attacks, which triggered a “use-after-free” flaw in IE via a rigged Flash file hosted on a booby-trapped website. A successful attack could give the attacker the same rights as the user.

The problem with Microsoft’s workarounds is that it “led to some confusion”, according to the company, which on Wednesday released a new document outlining how best to counter threats in different environments.

Microsoft also updated its original advisory.   

EMET 4.0 also works! (But it needs configuring)

One option admins had was to deploy Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Microsoft warned on Saturday that version 3.0 of EMET won’t stop the known attack.

It also initially advised that only EMET 4.1 would mitigate the threat. Meanwhile, FireEye, the security vendor that discovered the flaw said EMET 5.0 will also do the trick. Microsoft has clarified that EMET 5.0 does work — even better than EMET 4.1 — and that EMET 4.0 does the trick too. However, since EMET 5.0 it’s still in preview it can’t recommend it.

“The advisory and blog have both been updated to point out that both EMET 4.0 and EMET 4.1 are effective. Our technical preview of EMET version 5.0 also is effective in this regard; however, we do not recommend a technical preview for production deployment,” said Elia Florio and Jonathan Ness from Microsoft’s Security Response Centre engineering team.
On the other hand, EMET 5.0 was effective at blocking different attacks on the IE flaw while in the two earlier versions a feature known as “Deep Hooks” had to be actively enabled. Microsoft issued an update to EMET 4.1 at the Microsoft Download Centre on Wednesday that enabled Deep Hooks by default.

Read more: The week in security: Hackers targeting cloud as vendors fund OpenSSL fixes

One reasons why Microsoft is being cautious about recommending a preview product is that even the final release version of EMET can cause problems that may outweigh the benefits of reduced risk. As Microsoft notes, “previous versions of EMET have introduced application compatibility issues.”

VGX.DLL does not contain the vulnerable code

Microsoft clarified details about its workaround for VGX.DLL, the graphics format file that was thought to be where the flaw exists. Unregistering VGX.DLL is an effective workaround, however Microsoft said “VGX.DLL does not contain the vulnerable code leveraged in this exploit” — although it is the library that provides the Vector Markup Language (VML) that has been used to trigger the IE flaw. 

“Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks,” said Microsoft’s security engineers.

Read more: Disable Flash, a new IE zero-day is under attack

In other words, should attackers develop a new exploit for the flaw, this workaround won’t necessarily be effective. But for now it should work.

Enhanced Protected Mode alone on 32-bit Internet Explorer 11 doesn't work

Microsoft also clarified its workaround for IE 10 and IE 11, where it previously said Enhanced Protected Mode could be enabled to prevent the attack. While the two browsers exclusively offer protected mode, its effectiveness hinges on whether IE is on a 64-bit or 32-bit machine.  

“There is a difference between Internet Explorer 10 and Internet Explorer 11 that led to some confusion. Internet Explorer 10 has one setting to enable and Internet Explorer 11 has two settings to enable. The 64-bit aspect of Internet Explorer is a key element of this workaround as the heap spray attack is not effective in 64-bit address space, leading to a failed exploit. Enhanced Protected Mode alone on 32-bit Internet Explorer 11 is not effective in blocking the attack.”

Read more: Data encryption popularity breeding Aussie CSO overconfidence: Vormetric

As Microsoft explains, the advantage of this method is that “helps” block exploits leveraging this vulnerability and potentially other vulnerabilities that may be discovered in the future, but it “requires 64-bit Windows and requires running 64-bit version of Internet Explorer.”

Which strategy should customers choose?

Microsoft outlines pros and cons to all three strategies and all depend on the specifics of the customer’s environment, however it would seem those that have previously deployed EMET are in the best position to defend their assets, which could be a lesson for serious vulnerabilities in the future.  

“In general, for customers that already have EMET 4.x deployed, enabling Deep Hooks is likely to be the best workaround option. For customers who have not yet deployed EMET 4.x, the priority should be on immediate, quick protection which is likely to be blocking access to VGX.dll.

Read more: The week in security: IE shocker, execs 'disappointing' on security

“Deploying EMET is the best long-term protection but doing so without first testing in your environment is unlikely to be the best option. As always, we recommend staying up-to-date with the latest version of Internet Explorer for improved security features such as Enhanced Protected Mode, better backward compatibility through Enterprise Mode, increased performance, and support for the modern web standards that run today’s websites and services.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Explorer 0day attacksMicrosoftsecurity

More about FireEyeMicrosoftToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place