Threat Summary:
Microsoft has published a security advisory 2963983 which confirms new zero-day vulnerability in Internet Explorer. The Vulnerability essentially affects all versions of Internet Explorer running on Windows. This vulnerability is being actively exploited in the Wild.
The vulnerability is due to a use-after-free error. A remote attacker could exploit this vulnerability by enticing the target user to open a malicious web page. In the case of successful exploitation, arbitrary attacker code would be executed in the security context of the target user.
In the wild exploit for this vulnerability uses an unknown use-after-free bug in conjunction with a malicious SWF file which is used for manipulating heap. After spraying the heap, SWF file is made to call back a JavaScript on vulnerable IE to trigger the bug. This memory corruption is leveraged further to execute arbitrary code bypassing both ASLR and DEP.
One interesting thing here is that, this happens to be a vulnerability that will remain unpatched on windows XP which recently got EOL status from Microsoft.
Affected Products:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
Microsoft Internet Explorer 9
Microsoft Internet Explorer 10
Microsoft Internet Explorer 11
Juniper IPS Detection:
Juniper Security Research Team is aware of this issue and has released an IPS signature "HTTP: STC:IE:6-11-UAF" in signature pack #2368 for the same on April 28th 2014. Customers who are using recommended policy can stay protected after installing Signature Pack #2368 or greater. Customers who are using non-recommended policies can deploy this signature specifically to stay protected.
Mitigation:
There is currently no patch available for this vulnerability and Microsoft has not shared any timelines for a patch. End users can follow mitigation guidelines suggested in vendor advisory found here .
References:
Microsoft Security Advisory 2963983
https://technet.microsoft.com/library/security/2963983
CVE-2014-1776
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1776