More Details about Security Advisory 2963983 IE 0day

Today we released Security Advisory 2963983 regarding a potential vulnerability in Internet Explorer reported by FireEye and currently under investigation.

We are working closely with FireEye to investigate this report of a vulnerability which was found used in very limited targeted attack:

–          the vulnerability is a “use-after-free” memory corruption and the exploit observed seems to target IE9, IE10 and IE11;

–          while the vulnerability affects Internet Explorer, the exploit relies deeply on two other components to successfully trigger code execution and in particular it requires presence VML and Flash components;

Our partner FireEye posted an analysis with some details and confirmed that the exploit wasn’t able to run successfully when EMET protection is added for Internet Explorer. The following EMET configuration can help to mitigate this specific exploit seen in the wild:

–          EMET 4.0 / 4.1: all mitigations enabled, deephooks/antidetour enabled

–          EMET 5.0TP: all mitigations enabled (including ASR/EAF+), deephooks/antidetour enabled 

Also, given the current details shared by FireEye, we believe that the exploit can be also mitigated by:

–          Disable VML in IE.

–          Run Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings:

Cristian Craioveanu, Elia Florio and Chengyun Chu, MSRC Engineering