Summary
- Critical vulnerability (CVE-2014-1776) identified in Internet Explorer, with active attacks observed in the wild
- IE vulnerability could be used to exploit multiple versions of Internet Explorer, including those on Windows-XP based systems, which no longer receive security updates from Microsoft
- Palo Alto Networks Threat Prevention customers are protected from exploitation of the vulnerability
- Cyvera endpoint solution specializes in preventing the type of exploitation behavior used in this attack
On Saturday, Microsoft disclosed a critical vulnerability in Internet Explorer, CVE-2014-1776, affecting Internet Explorer versions 6 through 11. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability allows an attacker to execute arbitrary code in the context of the current user within Internet Explorer. This could be exploited with drive-by downloads or watering-hole attacks, and has been observed being used in attacks in the wild.
The exploit code used in these attacks only targets IE versions 9, 10 and 11, but earlier versions are still vulnerable. As of this writing, Microsoft has not stated when a patch for the vulnerability will be available, but in its advisory the company provided multiple work-arounds. Additionally, Windows XP systems running IE 6, 7 and 8 are also vulnerable, but will not receive a patch, as Microsoft no longer supports them.
Palo Alto Networks response
- We released an emergency content update on April 28th, 2014 that provides detection of attempted exploitation of CVE-2014-1776 with IPS vulnerability signature ID 36435 ("Microsoft Internet Explorer Memory Corruption Vulnerability") with critical severity and a default action of reset-client. Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices.
- We are integrating Cyvera’s next-generation endpoint solution into our security platform. This integration will provide customers with the ability to stop zero-day attacks on browsers and operating systems to prevent future breaches that exploit unknown vulnerabilities, as we have seen used in CVE-2014-1776.
It is always important to view this type of critical vulnerability in the larger context of the threat landscape. Attackers identify thousands of critical vulnerabilities in commonly used software each year, such as Internet Explorer. Once identified, they then craft a seemingly endless supply of exploits that leverage these vulnerabilities to deliver unknown malware and compromise networks and endpoints.
Palo Alto Networks enterprise security platform is focused on providing an integrated approach to detecting and preventing advanced threats across each step in the attack kill-chain. Bringing together our next-generation firewall – again a Gartner Magic Quadrant Leader – Threat Prevention, URL Filtering, WildFire, and Cyvera’s ability to prevent exploitation of unknown vulnerabilities will allow us to continue offering ground-breaking protection for our customers’ networks and endpoints, including Windows XP clients.