On Saturday, Microsoft released an out-of-band security advisory regarding a newly discovered zero-day vulnerability in Internet Explorer versions 6 through 11 (all current supported versions) that could be exploited by an attacker to run code remotely on a system. FireEye reported the vulnerability.
This vulnerability affects IE installed on all supported Windows client and server operating systems (Vista, Windows 7, 8, 8.1 and all versions of RT as well as Server 2003, 2008, 2008 R2, 2012 and 2012 R2). The only operating systems that you don’t have to worry about are the server core installations of Windows Server, which do not run a web browser.
The vulnerability may be less of a risk on server operating systems, however, because by default they run Internet Explorer in Enhanced Security Configuration mode. However, because this mode is very restrictive, many admins get frustrated with its limitations and disable it if they frequently use the web browser on a server. If Enhanced Security Configuration mode has been disabled, this vulnerability poses more of a risk on the server OS because an exploit gives the attacker the same user rights as the currently logged-on user, and admins are more likely to be logged onto the server with an administrative account.
The problem behind this vulnerability is with the way IE handles objects in memory and it is known as a “use after free” vulnerability because it concerns corruption of data after memory is released. It’s a means by which an exploit can circumvent ASLR and DEP (Address Space Layout Randomization and Data Execution Prevention), two of IE’s most important security mechanisms, giving the attacker the ability to run the malicious code.
There is a bit of a mitigation in that the most likely way to exploit the vulnerability is to create a web page containing the exploit code and a user would have to visit the site for the exploit to be carried out. However, the code could be inserted into legitimate web pages that allow for users to upload content or it could be included in advertising hosted on pages the user trusts.
It could also be instigated by including the malicious code in HTML email. Microsoft Outlook and Windows Mail open HTML messages in the Restricted Sites zone by default, which means ActiveX and scripts are disabled. However, if this setting has been changed, or if the malicious message were opened in another mail client that didn’t have this protection, this method of attack could work.
Microsoft is still investigating and has not yet issued a patch for this vulnerability but they put out the advisory after discovering that there is an exploit already “in the wild” which has been seen in a limited number of targeted attacks. The issue is considered serious enough that the Microsoft advisory states they may issue an out-of-band update.
Meanwhile, the Enhanced Mitigation Experience Toolkit (EMET) can be used to help mitigate the risk. Other workarounds include setting the Internet and Local Intranet security zones settings to “High” in IE’s Internet Options. This will block ActiveX and active scripting (Don’t forget to add your trusted sites to the trusted sites zone). Alternately, you can configure IE to prompt you before it runs Active Scripting. This way, you will have the chance to decide whether you trust the site before running active scripting. This may, however, result in a large number of prompts on some sites. Other options include unregistering VGX.DLL, which prevents applications from rendering Vector Markup Language, or change the Access Control List on VGX.DLL to make it more restrictive. Finally, for computers running IE 11, you can enable Enhanced Protected Mode and enable 64 bit processes for EPM.
For more information about how to implement each of these workarounds, see Microsoft Security Advisory 2963983.