An old enemy returns – new IE zero day doing the rounds

 In ITC's Threat of the Week

After the relative novelty of rushing patches to Linux servers and revoking certificates left right and center over the last couple of weeks as a result of the Heartbleed bug, this week sees a return to the normalcy of Windows being the focus of attention.

Saturday saw Microsoft publish advisory 2963983/CVE-2014-1776, detailing a nasty new 0-day exploit affecting Internet Explorer Versions 6-11. Actually a combination of a couple of bugs – this one uses a vulnerability in the Adobe Flash Plugin to leverage a weakness in IE’s handling of some obscure vector graphics library that’s known for being riddled with security bugs. The exploit then allows a payload of the attackers choice to be executed on the target system, currently with little to no chance of detection and prevention – expect a spike in everything from APT infections to Ransomware Trojans to be underway as you read this.

The full advisory is here: https://technet.microsoft.com/en-US/library/security/2963983, but the long and short of it is there’s currently no solid hotfix available from Microsoft, so you need to consider protecting against this from a couple of different directions.

Taking the networking edge first, by the time you read this the main Next-Gen firewall and Intrusion Protection System (IPS) players should have updated their signatures, so as a first stop it’s worth checking that your signature update processes are all functioning properly. Check the one referencing CVE-2014-1776 is enabled and set to drop traffic (if your vendor isn’t offering protection against this, or your IPS are still broken, give us a call and we’ll set you on the right path.) Compared to Heartbleed, this one is easy to reliably detect with signatures and so this should give you some immediate peace of mind whilst you consider implementing some quick-fix client-side protection measures and wait for the official hotfix. One important point here though – you’ll need to make sure your next-gen firewall or IPS is setup to do man-in-the-middle SSL decryption if you want to catch this exploit being delivered over an HTTPS connection.

For client side protection, top of the list would be a suggestion to check out one of Microsoft’s many underappreciated security tools that offers solid protection here. The “Enhanced Mitigation Experience Toolkit” (EMET) is a neat little utility that will generate an easy to deploy MSI update that reconfigures a bunch of security settings on your Windows Endpoints, ultimately providing a more secure baseline configuration that will protect against this threat and plenty of others that are yet to be discovered. It’s not perfect, and you will need to test all your business apps against its settings, but as a free download, you can’t go far wrong – see http://support.microsoft.com/kb/2458544  for more detail.

Take notice that this is the first zero-day threat that affects XP but that Microsoft won’t ever be publically fixing on that operating system. There will be dozens more threats of this severity and worse affecting XP over the next few months, guaranteed. We’re sure you already know this, but if your organisation is still using Windows XP, it desperately needs to upgrade – you’re simply a sitting duck otherwise.

As always, if you need advice on protecting your network from this or any other threat then don’t hesitate to get in touch. We can assist with a range of security services – from some one-off advice around setting up content inspection of SSL traffic to implementing a fully blown NetSure360° managed security service with continuous inspection of all your inbound and outbound traffic and networking events to ensure that suspicious activity is identified and alerted in real time, 24/7. If you would like to get in touch, please call us on 020 7517 3900 or email [email protected]

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900

 

Contact ITC Secure

If you have a question, request, comment or requirement, please send us an email now and we will get back to you by return