Security Alert: IE Zero-Day Vulnerability Discovered in Targeted Attacks

By gTIC ·


FireEye Research Labs has recently discovered targeted attacks which exploit a critical zero-day vulnerability and affect all versions of Internet Explorer (IE). FireEye has disclosed this vulnerability to Microsoft, whom has assigned CVE-2014-1776 to the vulnerability with a severity of 10 and has published Security Advisory 2963983 detailing the issue.


This exploit works in several stages ultimately resulting in arbitrary code execution within the context of the current user. Perhaps most notably, techniques used in the exploit are able to effectively bypass security features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Note: Internet Explorer running on Windows Server with Enhanced Security Configuration enabled is protected against this vulnerability. All other Windows platforms are vulnerable.


At the moment, most of the available technical details regarding this vulnerability have been published by FireEye.

Exploitation begins by directing a target to a malicious website which loads malicious Flash content. This Flash file will prepare the heap memory space to contain the exploit payload in a memory location which can be determined at run-time. Next, a Javascript callback is made to exploit this vulnerability and allow arbitrary memory access. Finally, the exploit code is injected into the method of a Flash object where it is then invoked and the exploit payload executed, which ultimately makes HTTP requests to download the next stage of the exploit (malware payload).


There are several options available to prevent this exploit from succeeding:

  • Apply a security patch as soon as it is released by Microsoft.
  • Utilize Microsoft's Exploit Mitigation Experience Toolkit (EMET) version 4.1 or 5.0.
    Note: Applies to Windows XP -- this is critical as it is not yet confirmed if Windows XP will be receiving a security patch to resolve this issue.
  • Enable Enhanced Protection Mode (EPM) in IE10 and IE11.
  • Disable the Flash plugin within IE.
  • Un-register VGX.DLL: "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
    Note: This can cause applications that depend on this module to fail, but several of our security partners cite this option because VGX.dll has also been implicated in other recent critical vulnerabilities (CVE-2013-2551, CVE-2013-0030).

Detection / Protection

Check Point IPS:

Signature:            Microsoft Internet Explorer Remote Code Execution (CVE-2014-1776)
Source:                CPAI-2014-1481

Palo Alto Networks IPS:

Update:                433-2194
Signature:             36435
Source:                 content-433-2194 release notes

Sourcefire IPS:

Update:                 SEU 1097 / SRU 2014-04-28-002
SIDs:                     30794, 30803
Source:                 SRU 04-28-2014-002

Symantec IPS/AV:

Web Attack:          MSIE use after free CVE-2014-1776
Malware:               Bloodhound.Exploit.552
Source:                 Symantec Security Blog


Vulnerability:        MS.IE.StyleLayout.Handling.Memory.Corruption
Coverage:             IPS (Regular DB) / VCM
Source:                 FortiGuard