Fix For Internet Explorer Security Flaw – Zero-day Internet Explorer Vulnerability (CVE-2014-1776)

You Have 5 Options

As a follow up to our earlier post, Microsoft Internet Explorer Security Bug Could Impact Millions of Users, we wanted to share what we’ve found out so far with respect to a fix for the latest IE flaw.

As of April 28, 2014, Microsoft has not provided a timeframe for a solution, and no workaround is available as of this time. Until a permanent solution is provided, we recommend that clients switch to other web browsers such as Google Chrome or Mozilla Firefox. If that option is not feasible, the following mitigations can reduce Internet Explorer’s attack surface:

• Disable Adobe Flash plugin. There is no associated vulnerability in Flash, but it is used to create the proper memory environment for successful exploitation and its absence will prevent infection in this specific case.
• Enable Enhanced Protected Mode (EPM). Introduced in Internet Explorer 10, EPM provides features that can prevent this exploit from working.
• Deploy the Enhanced Mitigation Experience Toolkit (EMET). The observed exploit contains techniques intended to bypass common mitigation strategies such as DEP and ASLR. EMET implements extended exploit mitigation.
• De-Register VGX.dll (VML parser) file, which is responsible for rendering of VML (Vector Markup Language) code in web pages, in order to prevent exploitation. Run following command:
  • regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

Reminder: There will be NO Patch for XP users.

Microsoft has the following Suggested Actions to mitigate your exposure.

Come back often or follow our tweets and we’ll keep you up to date on what’s happening with the fix.

Update 4/29/14

Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appears to target Microsoft Windows users, but updates also are available for Mac andLinux versions of Flash.

The Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users. To see which version of Flash you have installed, check this link.

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.