dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3873

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

6 recommendations

siljaline

Premium Member

Microsoft releases Security Advisory 2963983

quote:
Today, we released Security Advisory 2963983 regarding an issue that impacts Internet Explorer. At this time, we are only aware of limited, targeted attacks. This issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.
»blogs.technet.com/b/msrc ··· ory.aspx

»technet.microsoft.com/en ··· /2963983

For those with Twitter -
»twitter.com/msftsecresponse

»twitter.com/msftsecrespo ··· 47803648

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

Dustyn

Premium Member

Thanks for the advisory. This is one large scope of affected IE versions! And again with IE6!
I have to wonder if Microsoft intends to patch IE6 once again.
By continuing to do this it just further continues to give people a reason to use it.
This shows Microsoft continues to support using IE6 if they continue patching it every time a new vulnerability is discovered.
Frodo
join:2006-05-05

Frodo

Member

I think they'll patch it until there are no underlying operating systems not at EOL that use IE6. I'm thinking that if IE6 was the browser on Win2003 server, then it could be patched until EOL for Win2003.

Gone Fishing
Premium Member
join:2001-06-29

2 recommendations

Gone Fishing to siljaline

Premium Member

to siljaline

MS releases Security Advisory 2963983 - EMET



Suggested Actions - EMET
»technet.microsoft.com/en ··· /2963983

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 recommendation

Dustyn

Premium Member

Click for full size
EMET runs pretty silently on my systems.

Gone Fishing
Premium Member
join:2001-06-29

1 edit

1 recommendation

Gone Fishing

Premium Member

said by Dustyn:

EMET runs pretty silently on my systems.



DSLR: »EMET
Bypassing EMET 4.1)

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

1 recommendation

Dustyn

Premium Member

Thanks!
I'll be using 5.0 when it's released final.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to Dustyn

Premium Member

to Dustyn

Re: Microsoft releases Security Advisory 2963983

See also from the folks at FireEye:
~ New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks ~
quote:
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
»www.fireeye.com/blog/unc ··· cks.html
taytong888
join:2005-06-20
Nepean, ON

taytong888 to Dustyn

Member

to Dustyn

Re: MS releases Security Advisory 2963983 - EMET

Hi Dustyn,

I just installed EMET 4.1. I cannot set "Max. Security Settings" and "DEP = Always On". The error message popping up is "Failed to set System DEP Policy". Can you help? BTW, I am running Win 7 Home premium.

Thanks in advance.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

Re: MS releases Security Advisory 2963983

How is DEP configured on your PC ?
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to siljaline

Premium Member

to siljaline

Re: Microsoft releases Security Advisory 2963983

We didn't even have to go an entire month, and we have an exploit that can be used on xp systems, sure you can say you'll use another browser, but how long will that last unless you can compile your own browser. Other solutions like EMET will be useful, but 4.1 isn't perfect either.

If it's so serious they should issue an out of band patch instead of letting the problem fester until next month.

therube
join:2004-11-11
Randallstown, MD

therube

Member

quote:
exploit that can be used on xp systems
Oh that's just bogus (though probably ? true).

Look at the list of affected OS's.
(Vista & up. XP is not even mentioned, as there is no longer support for it.)
Look at the list of affected browser versions.
(6 & up.)

IE 10/11 in its default Enhanced Protected Mode will help.
Though you can't get IE10 on Vista.

So, here you have an...

exploit that can be used on xp systems
exploit that can be used on Vista systems
exploit that can be used on Win7 systems
exploit that can be used on Win8 systems

yada, yada, yada

And note that the exploit starts with Flash.
Flash to IE to OS ...

The MS article also (rightly) talks about; Outlook & OE & Windows Mail.
But then you may have any number of other programs that tie into the "IE" engine. Are they also an avenue...

They talk about disabling VGX.DLL, but what are the consequences (what will no longer work) if you do so?
taytong888
join:2005-06-20
Nepean, ON

taytong888 to siljaline

Member

to siljaline

Re: MS releases Security Advisory 2963983

Exactly the same as yours, i.e. same as shown.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned) to Dustyn

Member

to Dustyn

Re: MS releases Security Advisory 2963983 - EMET

Click for full size
THX .... RANDY & mine is the same like Dustyn {{{ SMILE }}}
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

2 recommendations

TheWiseGuy to siljaline

MVM

to siljaline

Re: Microsoft releases Security Advisory 2963983

Homeland Security has issued an alert on this one, though it occurs through Adobe Flash.

»www.nbcnews.com/tech/sec ··· k-n91281

As to it hitting XP, the problem there is there probably will not be an update fixing it, so users will remain at risk even after a fix.

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube

Member

> XP ... there probably will not be an update fixing it

Which we don't know, perhaps will never know?
But, they will fix the browser & if that fix flows through to XP, then there is the possibility that XP will be "patched".

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 edit

Dustyn to taytong888

Premium Member

to taytong888

Re: MS releases Security Advisory 2963983

said by taytong888:

Exactly the same as yours, i.e. same as shown.

Have you tried selecting: "Turn on DEP for all programs and services except those I select"?

I'll have to verify my settings.
I don't think I did anything special to enable MAXIMUM security settings.

In fact my setting looks like this as I'm guessing it's being managed by EMET.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to therube

Premium Member

to therube

Re: Microsoft releases Security Advisory 2963983

Use your damn brain, IE 6 was effected, and IE 7 was included with Vista. XP will no longer receive any new updates through windows update. All versions 6 through 11 were effected....
Frodo
join:2006-05-05

1 edit

Frodo

Member

said by BlitzenZeus:

XP will no longer receive any new updates through windows update.

This is what I'll do with my XPs.
quote:
What if I have XP?
Unregister the VGX.DLL file as shown above.
Never re-register it.

"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Done.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to TheWiseGuy

Premium Member

to TheWiseGuy
Saw that - thanks !
US CERT and KB 2963983: Don't use drive-by-enabled Internet Explorer
quote:
The Department of Homeland Security's US-CERT team has issued an official advisory, warning Windows customers that they should not use any modern version of Internet Explorer, from IE6 to IE11. It's important to note that Microsoft's Security Advisory 2963983 lists the exploit as a problem even with IE11 running on Windows 8.1 and Windows RT 8.1. It isn't clear from Microsoft's list if the problem also affects Windows 8, Windows RT, and/or Windows 8.1 Update, although Server 2003, Server 2008, 2008 R2, 2012, and Server 2012 R2 running with their default settings aren't vulnerable.
»www.infoworld.com/t/micr ··· r-241467
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Click for full size
Why does that InfoWorld article say:

"FireEye notes that disabling the Flash plug-in in IE will prevent this particular exploit from functioning. Since Flash is baked into IE10 and IE11, it appears that disabling Flash will only work in IE6 though IE9. But note that the security hole still exists in IE, even without Flash."

Are they claiming that disabling Flash in IE 10/11 doesn't work? It works for me on Windows 8 Pro. (Of course, I use the Proxomitron which makes Flash Click to Play anyway but to be the very safest I also keep Flash (and Java) disabled in IE 10 until I need one of them and when I am through I disable them again).
Frodo
join:2006-05-05

Frodo to siljaline

Member

to siljaline
According to Microsoft, one of the mitigations is to unregister vgx.dll
"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

On my 64 bit Win7 system, %CommonProgramFiles% resolved to "C:\Program Files\Common Files" using a 64 bit command prompt, and to "C:\Program Files (x86)\Common Files" when using a 32 bit command prompt.

So, if that mitigation is used on a 64 bit system, I'm thinking that the unregistering command would have to be issued twice, once from a 32 bit command prompt and one from a 64 bit command prompt.

therube
join:2004-11-11
Randallstown, MD

therube to Mele20

Member

to Mele20
> Flash is baked into IE10 and IE11

Only on Win8+. (And maybe only with IE11 ? don't recall?)

> it appears that disabling Flash will only work in IE6 though IE9

(In Win8) MS supplies Flash for IE, but it can still be disabled.

> note that the security hole still exists in IE, even without Flash

The hole may exist, but it is exploited via Flash.
So if Flash is removed (or when patched) the security hole cannot be exploited in that manner.
therube

therube to Frodo

Member

to Frodo
(x64, what a crock, for the most part, & in general)

Certainly are 32 & 64-bit versions.
So what is one to do? MS only mentions one?

PS: Nirsoft has a utility (in both 32 & 64-bit varieties), RegDllView.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to therube

Premium Member

to therube
said by therube:

Flash is baked into IE10 and IE11

Only on Win8+. (And maybe only with IE11 ? don't recall?)

I have Windows 8.0 Pro and IE 10 and Flash is "baked in" so it is not just in IE 11.
said by therube:

The hole may exist, but it is exploited via Flash.
So if Flash is removed (or when patched) the security hole cannot be exploited in that manner.

Yes. The hole cannot be exploited without Flash. But DISABLING Flash is just as effective as removing it or patching it seems to me. The exploit cannot turn Flash on in IE 10/11 when the user has it disabled can it? So, I was just questioning why that article didn't mention this as a valid mitigation for those versions of IE where Flash is "baked in".
Frodo
join:2006-05-05

Frodo to therube

Member

to therube
said by therube:

Certainly are 32 & 64-bit versions.
So what is one to do? MS only mentions one?

I unregistered both of them, by issuing the command from a 32 bit elevated command prompt and issuing the command again from a 64 bit elevated command prompt.

ka1ford
@192.199.12.x

ka1ford to Mele20

Anon

to Mele20
said by Mele20:

Yes. The hole cannot be exploited without Flash. But DISABLING Flash is just as effective as removing it or patching it seems to me. The exploit cannot turn Flash on in IE 10/11 when the user has it disabled can it? So, I was just questioning why that article didn't mention this as a valid mitigation for those versions of IE where Flash is "baked in".

Disabling Adobe flash will only protect you from the current exploit that is in-the-wild. It will not protect you should someone choose to use another method to launch an exploit against the same "hole". or to put it another way. . . adobe flash is merely the box that the bomb has been placed in. The box itself isn't the problem. . .it's the bomb inside that is the threat. . .and that bomb can be easily repackaged into another container.
Frodo
join:2006-05-05

1 recommendation

Frodo to siljaline

Member

to siljaline
This bulletin has been revised.
quote:
Why was this advisory revised on April 29, 2014?
Microsoft revised this advisory for the following reasons:

• To clarify that the Enhanced Protected Mode workaround applies to both Internet Explorer 10 and Internet Explorer 11.
• To update the workaround steps for the Unregister VGX.DLL workaround to include running the command from an elevated command prompt and instructions for running the command for both 32-bit and 64-bit systems.
• To remove the Access Control List on VGX.DLL workaround. This workaround will still help protect users from the vulnerability, but it is no longer recommended by Microsoft because it has the same effect as the Unregister VGX.DLL workaround and is harder to deploy.
Their approach for unregistering the VGX.dll should work on a 64 bit system provided the commands are issued from a 64 bit command prompt. The command prompt in my Accessories folder on Win7 was a 64 bit command prompt.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

Thanks for this, Frodo See Profile was on my way to say more or less the same thing.

Safe Hex while MS fixes this mess - possibly look for a Fix It or *out-of-band* patch.


dp
MVM
join:2000-12-08
Greensburg, PA

dp to siljaline

MVM

to siljaline
Microsoft Security Advisory Notification
Issued: April 29, 2014

Security Advisories Updated or Released Today

* Microsoft Security Advisory (2963983)
- Title: Vulnerability in Internet Explorer Could Allow
Remote Code Execution
- »technet.microsoft.com/li ··· /2963983
- Revision Note: V1.1 (April 29, 2014): Updated advisory to
clarify workarounds to help prevent exploitation of the
vulnerability described in this advisory. See Advisory FAQ for
details.