Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Seriously, stop using Internet Explorer Now - fixedByVonnie

Seriously, stop using Internet Explorer Now

Attention internet users: you should all stop using Internet Explorer immediately.

This past Saturday, Microsoft published a security bulletin announcing an Internet Explorer vulnerability that allows an attacker to execute remote code in the context of the current user.

This means if you’re logged into your computer as an Administrator an odious hacker could usurp your credentials to delete software, inject Trojans, steal data, create secret accounts or just basically wreak absolute bedlam on your system.  The vulnerability has the potential to give a threat agent carte blanche access to your computer.

Technically, how does it work?

This is the way it works:

The attacker creates a malicious website that looks completely legitimate and then fools a user into viewing it .

That’s it.

You visit the nefarious website through Internet Explorer and then you’re owned.

To Microsoft’s credit, it has diligently implemented defense-in-depth strategies to avert this kind of thing.

The Data Execution Prevention technologies inaugurated with Windows XP SP2 and Address Space Layout Randomization introduced in Windows Vista were both designed to guard against common memory exploitation techniques.

But in this case, both are inadequate because this particular exploit employs a use-after-free technique to achieve arbitrary access to memory.

To execute a use-after-free exploit you allocate memory in a special storage area used to store system wide global variables known as the heap.

After allocating memory there, you free the memory and then use it again after freeing it.  The memory entries that were ostensibly free are now in use and this is where there is an opportunity to hijack the execution of the application.

Stephen Bradshaw has a really good technical example of how a use-after-free exploit works.  It may feel a bit abstruse to non-programmers; however, if you really want to know how this thing works it’s an edifying 45 minute read.  Furthermore, you can read the full technical details about how the new Internet Explorer exploit works on Fireeye’s blog.

Who’s behind the mayhem?

The hackers at the helm of this attack are both experienced and motivated.

They are collectively (and generically) known as an Advanced Persistent Threat (APT) and have a history of furtively launching attacks and then disappearing without a trace.

Security Research firm Fireeye has labeled the ominous marks of this threat campaign as “Operation Clandestine Fox” and are advising all users to patch their systems once Microsoft releases one.

What’s the scope?

The vulnerability is officially known as CVE-2014-1776 and affects every single version of Internet Explorer – none is immune:

  • IE6 (Windows XP) 5.76%
  • IE7 (Windows XP) 1.73%
  • IE8 (Windows XP) 22.48%
  • IE9 (Windows 7) 13.9%
  • IE10 (Windows 7, Windows 8) 11.04%
  • IE11 (Windows 7, Windows 8, Windows 8.1) 1.32%

The above percentages indicate the market share of each browser version according to 2013 statistics from NetMarket Share.

You can do the math and see the pie slice is significant; however, I should mention that the threat agents are focusing attacks on IE9, IE10 and IE11 but that still represents 26.26% of the browser market so it’s serious.

Given that the pandemic impacts over a quarter of the browser market and that Microsoft has acknowledged that there is currently no real patch yet, this is big deal.

What should you do?

Use Firefox, Chrome, Safari or Opera.  Don’t use Internet Explorer.

If you don’t have the liberty of switching from Internet Explorer then it’s imperative that you install the Enhanced Mitigation Experience Toolkit (EMET).  Fireeye observed that installing EMET 4.1 or EMET 5.0 breaks or detects the exploit.

Alternatively, you can obviate the threat in IE10 and IE11 by enabling Enhanced Protected Mode (EPM).

EPM works because it effectively blocks the vulnerability by disabling unnecessary internet explorer capabilities.

In Internet Explorer, open Internet Options by clicking the little gear in the upper right corner of the browser.

Internet Explorer 11 Internet Options

Choose the Advanced Tab then scroll down to the bottom of the settings list and put a check mark in Enable Enhanced Protected Mode*.

How to Enable Enhanced Protected Mode in IE11

Click OK then reboot to commit your changes.

Keep in mind this may break Adobe Flash but that’s good because Adobe Flash is actually part of the problem.  In other words, you can either Enable Enhanced Protected Mode or Disable the Adobe Flash plugin to mitigate the threat.

Update! (04/29/14 09:02am)

Today Adobe released a patch that plugs the vulnerability in Explorer.


Connect with Vonnie on Twitter

Posted in News Tagged with: