Flash exploit targeting Internet Explorer versions 8 through 11
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.
This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory
to track this issue.
The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique
to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.
Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests.
EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.
An e-blast from Steve Gibson's research center
I got my first ever e-mail from Gibson Research (Steve Gibson) about this. I shall quote:
Web browsers are growing insanely complex. It's pretty clear that they will be our next-generation operating platforms. And as the last annual "Pwn2Own" contest showed, none of them can currently withstand the focused attention of skilled and determined attackers, especially when some prize money is dangled on the other side of the finish line.
Thus, to immediately protect any use of Internet Explorer – yes, even on creaky old WinXP (the XPocalypse has been delayed) – simply execute the following incantation using either a Windows Command Prompt or the "Run..." dialog under the Start button (if you're lucky
enough to still have one on your Windows desktop):
regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
This unregisters (-u) the VML renderer, thus rendering it inaccessible to the exploit attempt. Your IE browser will no longer be able to render vector markup language content... but it probably never did before, anyway.
For 64-bit Windows:
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"
Make sure you include the end double-quote when doing the command. I haven't seen any problems using IE (v. 11) since doing this on all 5 PCs I own.