What you need to know about the latest unpatched vulnerability in Internet Explorer
New IE vulnerability being exploited in the wild
The latest vulnerability release for Internet Explorer (IE) was announced in a pair of releases by Microsoft and FireEye. FireEye is credited with alerting Microsoft after having seen the vulnerability being exploited in the wild. According to FireEye, all IE versions greater than and including IE6 are affected, however only version IE9 through IE11 are actively being exploited in the wild. The CVE-2014-1776 Internet Explorer 0-day vulnerability can be exploited by visiting a malicious page in an affected version of IE, which can grant attackers code execution on the victim’s machine with the same level of access as the user logged in.
The exploit being used in the wild uses Adobe Flash to bypass DEP and ASLR by loading a crafted SWF file. Reportedly, the exploit will not work if either Adobe Flash is unavailable or IE’s “Enhanced Protection” mode is enabled. At this time there is no public weaponized exploit, although this will likely change soon.
Why this vulnerability is significant
This vulnerability is significant for 3 reasons:
- As of Monday April 28, 2014, Microsoft has not yet released a patch for this vulnerability.
- This vulnerability will not be patched on the now end-of-life Windows XP operating system.
- This vulnerability affects a relatively large number of IE versions.
What users should do
If IE is the only browser that can be used, consider applying the following techniques to avoid vulnerability to this exploit.
- Enable IE’s “Enhanced Protected Mode” if possible.
- Disable Adobe Flash player. This is what the public exploit relies on at this time. It is possible that another technique might be used to bypass DEP and ASLR.
- Use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) version 4.1 or the new 5.0 Tech Preview edition and ensure that EMET is configured to protect IE.*
- Never run IE as an administrative user.
- Apply the update once Microsoft has released it.
*Not all EMET protections are available on all version of Microsoft Windows.