Microsoft has issued a security advisory over the weekend in which the company warned of a vulnerability in their popular web-browsing software known as Internet Explorer. The vulnerability, which could allow remote code execution, impacts Internet Explorer versions 6 through 11.
The firm stated in the security advisory that they would take the appropriate action to protect customers upon completion of the investigation into the vulnerability. They are currently working with their partners in the Microsoft Active Protections Program (MAPP) “to provide information that they can use to provide broader protections to customers.”
The vulnerability exists within the way their web-browser “accesses an object in memory that has been deleted or has not been properly allocated.” The hole provides an opportunity for attackers to execute arbitrary code in the context of the current user within IE.
Due to the nature of the vulnerability, a victim would have to visit a booby trapped webpage hosting code designed to exploit the vulnerability. Upon successful exploitation, an attacker would have the ability to execute arbitrary code as the current user. The severity of the attack would be mitigated by those with accounts configured to have less user rights on the system.
Once successfully exploited, the vulnerability would provide attackers with the potential to exploit vulnerabilities in the system that could allow for escalated user privileges.
While refraining from visiting untrusted websites reduces the risk of falling victim to exploit code designed to take advantage of this vulnerability, users browsing the web with Internet Explorer versions 6-11 are still at risk of booby trapped advertisements, as advertisements are sometimes loaded from external sources, providing attackers a means by which to attack visitors of otherwise trustworthy websites.
Those utilizing the restricted mode known as the Enhanced Security Configuration and those who have disabled scripts and ActiveX controls would be at reduced risk of exploitation. Microsoft encourages customers to adhere to the guidelines set forth by the Microsoft Safety & Security Center which suggests customers enable a firewall, install anti-malware software, and apply all software updates.
Code to exploit vulnerabilities such as this one are often integrated into browser exploit kits such as the well known Blackhole exploit kit. Blackhole, which was ranked the most prevalent threat on the web as of 2012, is a software kit designed to exploit an array of vulnerabilities by first determining the visitors configuration and then launching the appropriate attacks until a vulnerability has been successfully exploited and the payload delivered. In order to launch these attacks, the software creates a landing page which potential victims must visit in order to be attacked. The code comprising these booby trapped landing pages is obfuscated. This obfuscation provides a layer of security for the developers of the software, as it hinders detection and reverse engineering. It is this advanced obfuscation that has helped make Blackhole one of the most persistent threats on the Internet.
Here’s a list reiterating the affected versions of Microsoft IE with additional insight into affected system configurations:
- Internet Explorer 6 – Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 SP2 for Itanium-based Systems.
- Internet Explorer 7 – Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Server 2003 SP2 Itanium-based, Windows Vista SP2, Windows Vista x64 SP2, Windows Server 2008 32-bit SP2, Windows Server 2008 x64 SP2, Windows Server 2008 Itanium-based SP2.
- Internet Explorer 8 – Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP2, Windows Vista x64 SP2, Windows Server 2008 32-bit SP2, Windows Server 2008 x64 SP2, Windows 7 32-bit SP1, Windows 7 x64 SP1, Windows Server 2008 R2 x64 SP1, Windows Server 2008 R2 Itanium-based SP1.
- Internet Explorer 9 – Windows Vista SP2, Windows Vista x64 SP2, Windows Server 2008 32-bit SP2, Windows Server 2008 x64 SP2, Windows 7 32-bit SP1, Windows 7 x64 SP1, Windows Server 2008 R2 x64 SP1.
- Internet Explorer 10 – Windows 7 32-bit SP1, Windows 7 x64 SP1, Windows Server 2008 R2 x64 SP1, Windows 8 32-bit, Windows 8 x64, Windows Server 2012, Windows RT.
- Internet Explorer 11 – Windows 7 32-bit SP1, Windows 7 x64 SP1, Windows Server 2008 R2 x64 SP1, Windows 8.1 32-bit, Windows 8.1 x64, Windows Server 2012 R2, Windows RT 8.1
The “SP” in the list above is used as an acronym for Service Pack.
If you found your current configuration on the list, deploy the Enhanced Mitigation Experience Toolkit 4.1 (EMET) to mitigate the exploitation of this vulnerability by adding layers of additional protection designed to increase the difficulty of exploiting the vulnerability. EMET 4.1 is officially supported by Microsoft. It’s only available in the English language, at least as of present. Setting the Internet and Local intranet security zone settings to “High” blocks Active Scripting and ActiveX Controls in these zones which helps protect against exploitation. You can adjust the browser’s settings to prompt prior to running Active Scripting if disabling it altogether is unacceptable. Unregister the “VGX.DLL” by clicking Start, then clicking Run, and typing in the following command:
%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll
Click “OK” and then click “OK” yet again after the dialog box appears to confirm that the un-registration process has been completed successfully.
By disabling the aforementioned DLL, applications which render VML will no longer do so until vgx.dll has been re-registered.
If you use a web browser other than Internet Explorer, such as Mozilla Firefox or Google Chrome, let us know which one and why you use it instead of the other options available. Submit your remarks using the comment form found below.