Recently, Microsoft released Security Advisory 2963983, which describes a new zero-day vulnerability found in Internet Explorer (CVE-2014-1776). This remote code execution vulnerability allows an attacker to run the code on a victim system if the user visits a website under the control of the attacker. While the attacks are only known against three IE versions, which are IE 9, 10, and 11, the underlying flaw exists in all versions of IE in use today from IE 6 to IE 11.
For more details, read the article Internet Explorer Zero-Day Hits All Versions In Use.
This issue affects IE 6 to IE 11 on all Microsoft Windows platforms.
Update as of May 1, 2014 11:00 AM PST: Microsoft has released an emergency out-of-band security update to address this issue on all currently supported platforms, including Windows XP. Customers are encouraged to apply these security patches as soon as possible.
Refer to the following Microsoft articles for more information:
- Description of the security update for Internet Explorer for systems that have security update 2929437 installed: May 1, 2014
- Microsoft Security Bulletin MS14-021 - Critical
- Microsoft confirmation of XP patch
Even though Microsoft has just issued an emergency patch, Trend Micro and other security vendors are still analyzing and collecting real-time information on this vulnerability and potential exploits.
In the meantime, Trend Micro has released some proactive protection mechanisms to help customers guard against potential exploits of this vulnerability:
Trend Micro has updated its heuristic code in OPR 10.763.00, specifically around CVE-2014-1776, and will continue to update and improve the detection as more information and samples become available. All customers utilizing Trend Micro VSAPI detections can benefit from these updates.
In addition, there are advanced technologies on some newer products that have additional rules and benefits.
Trend Micro has advanced heuristic features in the behavior monitoring module available in the following products, which can detect the file download through a possible exploit attack:
- OfficeScan (OSCE) 10.6 SP3 and above
- Worry-Free Business Security (WFBS) 9.0
- Titanium Antivirus+ 2013 and above
By default, these advanced features are not enabled in OfficeScan and WFBS. To enable the feature, follow the procedures on the articles below:
- Enabling the Meerkat Blocking feature of Worry-Free Business Security (WFBS) 9.0
- Activating Meerkat in OfficeScan 10.6 Service Pack 3 (SP3)
- Enabling Meerkat in OfficeScan (OSCE) 11.0
Browser Exploit Solution
Rule 101404.0.0 has been released to cover this vulnerability in Titanium Antivirus+ 2014.
For the customers who are using Deep Security and OfficeScan Intrusion Defense Firewall (IDF), the following rule is released to cover this vulnerability:
1006030 - Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
There is also a rule that restricts the use of VML tag:
1001082 - Generic VML File Blocker
For the users of Deep Discovery Inspector, we will release rule HTTP_CVE-2014-1776_IE_EXPLOIT to cover this vulnerability (NCIP 1.12083.00 and NCCP 1.12053.00)
Additional solutions will be added as they become available.