Security Thoughts: The Inconvenient Truth about CVE-2014-1776 (aka “The Windows XP Mega Vulnerability”)

An Inconvenient Truth

Looking at the news these last couple of days, you’d think the XPocalypse has begun.
A vulnerability has been discovered in Internet Explorer 6 through 11 and code has been made publicly available to attack it. Since, according to several websites, this is a critical vulnerability that was discovered after Microsoft officially ended support for Windows XP, thus, organizations using this old technology are and will remain at risk.

I chuckled.

    

Impact

The Verge describes the impact of this vulnerability as:

Microsoft published a security advisory today warning its customers that a vulnerability in all versions of Internet Explorer (6 through 11) could let hackers gain full user permissions over your computer, allowing them to install programs, view and delete data, and much more simply by visiting a website.

I think it’s interesting that Dante D’Orazio of The Verge uses the word “full”, while linking to Microsofts official Security Advisory 2963983. This webpage clearly describes:

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The ability to execute code is limited to the rights the compromised account has on the system. In organizations, implementing Windows with Least Administrative Privilege is the best practice and the standard. It should come as no surprise this principle is extensively covered in all Windows-oriented Microsoft exams.

While deleting (and possibly encrypting) user data can be a real nuisance, restoring data from backups is still available on well-implemented systems, since the system integrity isn’t typically compromised by these attacks.

This vulnerability is a critical vulnerability in terms of Microsofts Security Bulletin Severity Rating System bacause of the Remote Code Execution ability.

      

Attack vector

Although Internet Explorer is identified as the faulty product by many tech websites, the initial attack vector is not Internet Explorer, but a vulnerability in Adobe’s Flash Player that is described in CVE-2014-0515. Internet Explorer has a vulnerability in the way it accesses an object in memory that has been deleted or has not been properly allocated, but this vulnerability, at the moment, is only exploitable through Adobe Flash Player.

Because, in recent years, Adobe Flash accounted for a lot of attack vectors towards Windows systems, for Windows 8 and Windows 8.1, Microsoft has adopted a new patching mechanism, together with Adobe, to update Flash Player through Internet Explorer and Windows Update mechanisms. Through this update mechanism, Windows 8 and Windows 8.1-based systems have already been updated with Adobe Flash Player 13.0.206.

For Internet Explorer versions running on Windows systems before Windows 8, Adobe has issued an update to Flash Player for Windows, that brings its version to 13.0.0.206. Adobe still supports Windows XP when you’ve patched it through to Service Pack 3. So, even when people in your organization run Internet Explorer 6 on Windows XP, you can protect them from these initial attacks.

You can use Windows Server Update Services (WSUS) to push the Adobe Flash Player update.

  

Mitigating factors and workarounds

The list of mitigating factors and workarounds in Microsofts official Security Advisory 2963983 is long. In addition to updating Adobe Flash Player and Windows, and implementing the principle of least administrative privilege, these actions help you protet against exploitation of this vulnerability:

  • Internet Explorer Enhanced Security Configuration (IE ESC) mitigates this vulnerability. (This is enabled by default on Windows Server installations.)
      
  • You can deploy version 4.1 or version 5.0 of the Enhanced Mitigation Experience Toolkit (EMET). EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.
      
  • When you set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones, this protects against exploitation of this vulnerability.
      
  • When you configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone, this protects against exploitation of this vulnerability.
      
  • When you unregister or modify the ACLs on vgx.dll, web applications that render VML will no longer do so. This protects against exploitation of this vulnerability.
      
  • When you Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode protects against exploitation of this vulnerability.
      

  

No solution for Windows XP

It’s true that home-users and small businesses running Windows XP will (most likely) not gain access to an update for the vulnerability in Internet Explorer (if/when it becomes available). Microsoft has done a stellar job providing free support for nearly 13 years.

Large organizations and governments, however, had the opportunity to buy extended support on Windows XP for at least another year. Organizations that have made this purchase will see an update to address this vulnerability (if/when it becomes available).

I’m very interested to see if Microsoft decides to support Windows XP for customers. I Imagine the code that is needed to patch Internet Explorer on Windows XP is not that different from the code for Windows Server 2003 and more recent versions of Windows. There’s multiple ways to look at it.

        

Fear, uncertainty & doubt (FUD)

To top things of, many news outlets and government agencies are now actively discouraging the use of Internet Explorer. A perfect example is this tweet by the Dutch Police Team High Tech Crime:

Politie Tweet_gallery_image

When you translate the text to English, you’ll notice that the Dutch government is actually discouraging using Internet Explorer for the time being. As a side note, they tell us that no solution will become available for Windows XP.

With the list of mitigating factors and workarounds available to protect against exploitation of the vulnerability in Internet Explorer, and the availability for updates for organizations that have purchased Windows XP extended support, I feel the whole tweet can be discarded, regardless of the good intentions it was written with.

    

Concluding

The impact of this Internet Explorer / Flash vulnerabity is relatively low, since code can only be executed with the privileges of the logged on user account.

When you communicate to colleagues, end-users and customers, make sure you give them proper advice.

The attack is non-exploitable when Adobe Flash Player for Windows is updated to version 13.0.0.206 or up and at least one of the actions in the list of mitigating factors and workarounds is performed.

These vulnerabilities, CVE-2014-1776 and CVE-2014-0515, are business as usual.

Further reading

New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
Security flaw puts all Internet Explorer users at risk, exposes Windows XP 
Microsoft Races To Fix Massive Internet Explorer Hack: No Fix For Windows XP Leaves 1 In 4 PCs Exposed 
Windows XP is permanently vulnerable to the newest Internet Explorer zero-day flaw 
0-Day Vulnerability in Internet Explorer Threatens Windows XP 
Internet Explorer hack spells trouble for Windows XP users 
There’s A Dangerous Bug In Internet Explorer, But Microsoft Won’t Fix It For Windows XP Users  
US, UK govt: Friends don’t let friends use Internet Explorer – try Chrome or Firefox

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.