Vulnerability in Internet Explorer Could Allow Remote Code Execution

ITS Advisory Number: 
2014-039b
Date(s) Issued: 
Monday, April 28, 2014
Date Updated: 
Thursday, May 1, 2014
Subject: 
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Overview: 

A vulnerability has been discovered in Microsofts web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Exploitation can occur if a user views a specially crafted website.ÿ Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Currently there is no patch available for this vulnerability. Microsoft has issued recommended workarounds provided in the links below.

May 1, 2014 UPDATED OVERVIEW:
Microsoft has released an out-of-band security update for Internet Explorer that addresses this vulnerability. Also, they have extended support for Windows XP for this vulnerability only.

'
Systems Affected: 
  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

ORIGINAL DESCRIPTION:
A vulnerability exists in Internet Explorer that can allow for remote code execution. This vulnerability exists in the way that Internet Explorer access objects in memory that has been deleted or has not been properly allocated. An attacker could corrupt the memory in a way that the attacker then could execute code. Exploitation can occur if a user views a specially crafted website.ÿ Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Currently there is no patch available for this vulnerability. Microsoft has issued recommended workarounds provided in the links below.

May 1, 2014 UPDATED DESCRIPTION:
Microsoft has released an out-of-band security update for Internet Explorer that addresses this vulnerability. Microsoft has extended support to patch Windows XP for this vulnerability only.

Actions: 
  • Apply patches provided by Microsoft as soon as they are available after appropriate testing
  • Add sites that you trust to the Internet Explorer Trusted sites zone.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the patch provided by Microsoft immediately after appropriate testing.
References: 
Microsoft:
https://technet.microsoft.com/en-us/library/security/2963983
http://blogs.technet.com/b/srd/archive/2014/04/26/more-details-about-security-advisory-2963983-ie-0day.aspx
FireEye:
http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
Open Sourced Vulnerability Database (OSVDB):
http://www.osvdb.org/show/osvdb/106311
May 1, 2014 UPDATED REFERENCES:
Microsoft:
https://technet.microsoft.com/library/security/ms14-021
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1776