Microsoft updates four key workarounds for Internet Explorer 0day attacks

Microsoft has released a new and broader list of strategies that admins can take to minimise the impact of attacks against the flaw affecting all versions of Internet Explorer.

In the absence of a patch, two ways to neuter known attacks on the previously unseen flaw in IE 6 to 11 (CVE-2014-1776) are disabling Flash in IE; or, as some government CERTs have suggested, using another browser like Chrome or Firefox.

For organisations that can’t do either, Microsoft did in its Saturday advisory provide several strategies to mitigate known attacks, which triggered a “use-after-free” flaw in IE via a rigged Flash file hosted on a booby-trapped website. A successful attack could give the attacker the same rights as the user.

The problem with Microsoft’s workarounds is that it “led to some confusion”, according to the company, which on Wednesday released a new document outlining how best to counter threats in different environments.

Microsoft also updated its original advisory.   

EMET 4.0 also works! (But it needs configuring)

One option admins had was to deploy Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Microsoft warned on Saturday that version 3.0 of EMET won’t stop the known attack.

It also initially advised that only EMET 4.1 would mitigate the threat. Meanwhile, FireEye, the security vendor that discovered the flaw said EMET 5.0 will also do the trick. Microsoft has clarified that EMET 5.0 does work — even better than EMET 4.1 — and that EMET 4.0 does the trick too. However, since EMET 5.0 it’s still in preview it can’t recommend it.

“The advisory and blog have both been updated to point out that both EMET 4.0 and EMET 4.1 are effective. Our technical preview of EMET version 5.0 also is effective in this regard; however, we do not recommend a technical preview for production deployment,” said Elia Florio and Jonathan Ness from Microsoft’s Security Response Centre engineering team.
 
On the other hand, EMET 5.0 was effective at blocking different attacks on the IE flaw while in the two earlier versions a feature known as “Deep Hooks” had to be actively enabled. Microsoft issued an update to EMET 4.1 at the Microsoft Download Centre on Wednesday that enabled Deep Hooks by default.

One reasons why Microsoft is being cautious about recommending a preview product is that even the final release version of EMET can cause problems that may outweigh the benefits of reduced risk. As Microsoft notes, “previous versions of EMET have introduced application compatibility issues.”

VGX.DLL does not contain the vulnerable code

Microsoft clarified details about its workaround for VGX.DLL, the graphics format file that was thought to be where the flaw exists. Unregistering VGX.DLL is an effective workaround, however Microsoft said “VGX.DLL does not contain the vulnerable code leveraged in this exploit” — although it is the library that provides the Vector Markup Language (VML) that has been used to trigger the IE flaw. 

“Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks,” said Microsoft’s security engineers.

In other words, should attackers develop a new exploit for the flaw, this workaround won’t necessarily be effective. But for now it should work.

Enhanced Protected Mode alone on 32-bit Internet Explorer 11 doesn't work

Microsoft also clarified its workaround for IE 10 and IE 11, where it previously said Enhanced Protected Mode could be enabled to prevent the attack. While the two browsers exclusively offer protected mode, its effectiveness hinges on whether IE is on a 64-bit or 32-bit machine.  

“There is a difference between Internet Explorer 10 and Internet Explorer 11 that led to some confusion. Internet Explorer 10 has one setting to enable and Internet Explorer 11 has two settings to enable. The 64-bit aspect of Internet Explorer is a key element of this workaround as the heap spray attack is not effective in 64-bit address space, leading to a failed exploit. Enhanced Protected Mode alone on 32-bit Internet Explorer 11 is not effective in blocking the attack.”

As Microsoft explains, the advantage of this method is that “helps” block exploits leveraging this vulnerability and potentially other vulnerabilities that may be discovered in the future, but it “requires 64-bit Windows and requires running 64-bit version of Internet Explorer.”

Which strategy should customers choose?

Microsoft outlines pros and cons to all three strategies and all depend on the specifics of the customer’s environment, however it would seem those that have previously deployed EMET are in the best position to defend their assets, which could be a lesson for serious vulnerabilities in the future.  

“In general, for customers that already have EMET 4.x deployed, enabling Deep Hooks is likely to be the best workaround option. For customers who have not yet deployed EMET 4.x, the priority should be on immediate, quick protection which is likely to be blocking access to VGX.dll.

“Deploying EMET is the best long-term protection but doing so without first testing in your environment is unlikely to be the best option. As always, we recommend staying up-to-date with the latest version of Internet Explorer for improved security features such as Enhanced Protected Mode, better backward compatibility through Enterprise Mode, increased performance, and support for the modern web standards that run today’s websites and services.”