Zero-Day Internet Explorer Vulnerability Let Loose in the Wild

zero_day_IE_concept.png

Symantec is aware of reports of a zero-day vulnerability, Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776), that affects all versions of Internet Explorer.

Microsoft released a security advisory on a vulnerability in Internet Explorer that is being leveraged in limited targeted attacks. There is currently no patch available for this vulnerability and Microsoft has not, at the time of writing, provided a release date for one.

Our testing confirmed that the vulnerability crashes Internet Explorer on Windows XP. This will be the first zero-day vulnerability that will not be patched for Windows XP users, as Microsoft ended support for the operating system on April 8, 2014. However, Microsoft stated that its Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above can mitigate this Internet Explorer vulnerability and is supported by Windows XP. Besides using EMET, Symantec Security Response encourages users to temporarily switch to a different Web browser until a patch is made available by the vendor.

Symantec protects customers against this attack with the following detections:

We will update this blog with additional information as soon as it becomes available.

 

Update – April 28, 2014:
In order to mitigate Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776), Symantec provides the following recommendations.

Microsoft states that versions of the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above can mitigate this vulnerability in Internet Explorer. The toolkit is available for Windows XP users as well. If using EMET is not an option, users can consider mitigating the currently known exploit by unregistering a DLL file named VGX.DLL. This file provides support for VML (Vector Markup Language) in the browser. This is not required by the majority of users. However, by unregistering the library, any application that uses the DLL may no longer function properly. Also, some applications installed on the system may potentially re-register the DLL. With this in mind, the following one line of instruction can be executed to make the system immune from attacks attempting to leverage the currently known exploit for this vulnerability. This line of instruction can be used for all affected operating systems:

"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

We have developed a batch file that can be used to perform the task for those who may be required to administrate large IT infrastructures.

bat_icon.png

Note: Users will need to rename the file using a .bat extension.

The batch file has the ability to verify the current state of the DLL file and unregister the DLL as needed. The script outlined in the batch file is very simple and can be used as a basis to customize the code to fit the needs of certain system environments.

Please note that recommendations, such as the one provided here, may not be possible for future vulnerabilities. We recommend that unsupported operating systems, such as Windows XP, be replaced with supported versions as soon as possible.

 

Update – May 02, 2014:
Microsoft has released an out-of-band security update to address this vulnerability. For more information, see the following Microsoft security advisory:

Out-of-Band Release to Address Microsoft Security Advisory 2963983

A Reminder about Rootkits

 

Rootkit stories show up in the mainstream media on a regular basis these days. While these stories raise public awareness about what the bad guys are doing, they usually leave readers wondering what they can do to protect themselves from silent threats infecting their computers at home and in the office. 
Broadly defined, a rootkit is any software that acquires and maintains privileged access to the operating system (OS) while hiding its presence by subverting normal OS behavior. A rootkit typically has three goals: 
 
  1. A rootkit wants to be able to run without restriction on a target computer. 
  2. It wants to elude being detected by the computer or an installed security product. 
  3. It wants to deliver its payload, such as stealing passwords or network bandwidth, or installing other malicious software.
 
So what can you do (other than re-build your computer every time) if you suspect it is infected? Even if you do not suspect anything is wrong with your computer (since that is what rootkit authors want), how can you be certain that some malicious code is not hiding there? When news stories cover these threats, they usually say that users should make sure that they are running security software and that it is up to date. But if a rootkit is already running and hiding from your security software, how does keeping it up to date help?
 
Symantec security products such as Norton Internet Security and Symantec Endpoint Protection include a number of technologies that are designed to prevent, detect, and remove rootkits without being fooled by the tricks rootkits use to remain hidden. Using a variety of technologies working individually and together, these products provide top-quality protection against rootkits. The components work together as a protection stack by monitoring a variety of inputs and behaviors on a protected system and sharing that information in order to get a complete picture of a potential attack, while still maintaining a low false-positive rate.
 
For a more in depth look at rootkits and how to protect yourself against such threats, please see the Symantec Security Response whitepaper on Rootkits.

Spammers Mark 10th Anniversary of 9/11

Thanks to Vivek Krishnamurthi for contributing to this blog.

Every sensitive event is an opportunity to exploit. With this motive in the background, it is not surprising to see spammers exploit 9/11.  With the 10th anniversary of the tragedy just a day away, spammers want to make the best use of this emotionally charged environment. 

Here are two examples of scams that Symantec has noticed in recent days that attempt to exploit the emotional scars left by 9/11:
 
First email example exploiting 9/11
Figure 1: First email example exploiting 9/11
 
 
Second email example exploiting 9/11
Figure 2: Second email example exploiting 9/11
 
The first sample tries to entice users to click a link in order to get more information about a new Justice Coin minted to commemorate the success of operation Geronimo, in which Osama bin Laden was killed by Navy seals. The subject reads “September 11, 2001 remembrance.” The second sample is a survey scam that promises a $250 gift card for taking a "September 11 Survey."
 
Both examples are email harvesters that want to check the validity of the recipient's email account (which would occur if the recipient clicked any of the links) and to extract more information from the victim. For example, if the victim fell for the scam, clicked a link, and offered any further personal data in the survey or filled out the order form for the commemorative coin (figure 3).
 
Example of "order form" for commemorative 9/11 coin
Figure 3: Example of "order form" for commemorative 9/11 coin
 
Symantec advises users to be vigilant, especially if they are tempted to respond to unsolicited or anonymous emails related to 9/11. Don’t let scammers play with your emotions and entice you to become trapped in their net. Remember: updating antispam signatures regularly helps prevent personal information from being compromised.

I Think I Know You – Part 2

 

In 2004, Massachusetts Senator Edward “Ted” Kennedy was refused an airline boarding pass by the Transportation Security Administration (TSA) on five different occasions. Despite being from one of the most famous families in American politics, not to mention being a U.S. Senator, he still appeared on a no-fly list designed to prevent terrorists from boarding airplanes. This was a mistake; one that took three weeks to clear up. No explanation was ever publicly given. One has to assume that there was someone else, presumably a suspected terrorist, with a similar name.
 
I was reminded of that incident at Black Hat, where Alessandro Acquisti from Carnegie Mellon University presented a paper called, “Faces of Facebook: Privacy in the Age of Augmented Reality” (which is also the starting point for the first part of this series).
 
The TSA starting testing facial recognition software in 2003.  Eight years is a long time in software development. Given the advances in commercial software, if facial recognition has yet to be installed in airports, it’s not because of any technology limitation (unless we consider accuracy…more on that later.)
 
The use of facial recognition by the government goes well beyond airports and the TSA, though. And it is certainly not restricted to the United States. The South Korean government has taken photographs of over 23,000 people since 2003, and they have used facial recognition software to match them to photos and names in resident and driver registration databases.
 
Police in Vancouver reportedly used facial recognition software to try and identify people who participated in riots there this past June. No word on which was more successful, using facial recognition or finding those who boasted of their rioting skills on Facebook. Beyond this, though, Facebook played an additional role in that a Facebook page was created whereby people could post photos they took of rioters in order to help the police.
 
A tool called MORIS is soon to be released for law enforcement agencies. It’s a mobile device that will be able to scan fingerprints, irises and facial features, enabling the police to identify a suspect without even taking them back to the station. It will be sold by a private company that manages their own database.
 
The FBI is working to improve access to its fingerprint database with a project called NGI, Next Generation Identification. And they are working on an initiative that will, “also explore the capability of facial recognition technology.”
 
These are just some of the examples I was able to find with a quick Internet search. Presumably, a deeper search would reveal a great many more.
 
The promise of this sort of tool has to be very appealing to those in law enforcement. Just think of all the other ways it could be used. Say you were on the look out for terrorists or criminals trying to use identify theft to get legitimate forms of identification. A quick check of facial recognition software would not only prevent you from issuing the ID, it would also call out the cops. According to the Boston Globe, at least 34 states are using such systems to review driver’s licenses for identity theft. 
 
But what if you don’t have access to a government database of photos or of photos helpful citizens gave you, yet you want to identify someone from a picture? This is the problem. Professor Acquisti and his team tried to solve this and what they reported at BlackHat was that they could do pretty well with off-the-shelf facial recognition software and cheap webcams. Where did they get their database of photos?  Facebook, of course.
 
Facebook has an estimated 100 billion photos. Many of them are conveniently tagged with user names, and many of those are in accounts where users have left them “wide open,”—in other words, with no security that would restrict who has access to those photos. All of Acquisti’s team’s work was done using publicly available photos.
 
So what is there to worry about?  What’s wrong with being better at catching thieves and terrorists? Not a darn thing. But, this is where Ted Kennedy comes in: two people having the same name is pretty common, but few of us are as well known as Edward Kennedy was; if a mistake like that can happen with names, it’s going to happen with faces. 
 
They say no two faces are the same. But we are talking about software trying to do a very, very difficult task. There will be mistakes. In fact it didn’t take me very long to find an example. The goal of the program in Massachusetts in this example actually sounds pretty good. Nobody wants the bad guys getting their hands on legitimate driver’s licenses. And they do have a plan to correct mistakes.
 
Of course it hasn’t happened to me, so I didn’t have to go through the hassle of proving who I was. With facial recognition software, you can be guilty of looking like someone else till proven innocent.  
 
Of bigger concern is what happens when facial recognition software is used everywhere. What happens if I get refused at the ATM or get turned away at a business because I look like someone who’s stolen credit cards?  I may not even get told that it was my face that caused the problem.  If Ted Kennedy couldn’t find out why they thought he was a terrorist, what are my chances?