Microsoft out-of-band Security Advisory for IE
Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2963983) on April 26th, 2014 that addresses a Remote-Code -Execution vulnerability in Microsoft Internet Explorer. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. This vulnerability affects Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. This vulnerability has been referred by CVE as CVE-2014-1776.
Dell SonicWALL threat team researched this vulnerability and created following IPS signatures to cover the attack.
- IPS: 3787 Windows IE Remote Code Execution Vulnerability (CVE-2014-1776)
Note that in order to be protected make sure Dell SonicWALL Intrusion Prevention service is enabled and signature set is up-to-date.
Dell SonicWALL has some existing signatures to detect VML file downloads which will mitigate the risk of exposure to this vulnerability:
- APP:3617 XML -- VML File (HTTP Download) 1a
- APP:3269 XML -- VML File (HTTP Download) 1b
- APP:3629 XML -- VML File (HTTP Download) 2a
- APP:3271 XML -- VML File (HTTP Download) 2b
- APP:3630 XML -- VML File (HTTP Download) 3a
- APP:3272 XML -- VML File (HTTP Download) 3b
- APP:4058 XML -- VML File (HTTP Download) 4a
- APP:3284 XML -- VML File (HTTP Download) 4b
To further limit your risk to the vulnerability please follow the steps below:
- Apply the Security Patch from Microsoft released on May 1, 2014. Microsoft has also released the update for Windows XP although the support for Windows XP was discontinued on April 8th, 2014.
- Do not open unknown URLs from external Emails.
- Keep your Microsoft Email clients such as Outlook in restricted site zone, which is set by default.
- Internet Explorer runs in a restricted mode known as Enhanced Security Configuration is safe. They are set as default on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
- Set Internet and Local intranet security zone settings to "High".
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
- Deploy the EMET (Enhanced Mitigation Experience Toolkit) 4.1.
- Unregister VGX.DLL by running command: "%SystemRoot%System32regsvr32.exe" -u "%CommonProgramFiles%Microsoft SharedVGXvgx.dll" in command prompt.
- Modify the Access Control List on VGX.DLL to be more restrictive.
- Enable Enhanced Protected Mode for Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode.
For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.
Last updated on May 2nd, 2014.