US CERT: STOP browsing with internet explorer.
why? and what to do now?
Autor: Jozef Džama
US CERT
The US Computer Emergency Readiness Team
US-CERT
strives for a safer, stronger Internet for all Americans by responding
to major incidents, analyzing threats, and exchanging critical
cybersecurity information with trusted partners around the world.
What's the problem
Microsoft Internet Explorer contains a use-after-free vulnerability,
which can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
use-after-free vulnerability
Low-level inspection of the mentioned vulnerability places it into a
class that accounts for a large number of recently-discovered IE
exploits called “Use After Free”. Such vulnerabilities are usually
caused by active JavaScript code embedded inside HTML files that
allocate objects and reference them inside the context, only to
afterwards free the memory location at which the object resides, without
checking if the location still has variables pointing towards it.
back to our problem
This particular vulnerability is being exploited in the wild.
Although no Adobe Flash vulnerability appears to be at play here, the
Internet Explorer vulnerability is used to corrupt Flash content in a
way that allows ASLR to be bypassed via a memory address leak. This is
made possible with Internet Explorer because Flash runs within the same
process space as the browser. Note that exploitation without the use of
Flash may be possible.
Recommendations
- Unregistering VGX.DLL
- Some configurations of Internet Explorer
-
US-CERT
rarely goes as far as to recommend that Americans switch browsers - See
more at:
http://www.itnews.com/windows/77943/us-cert-americans-stop-browsing-ie#sthash.E8qL7M2m.dpufSwitching to anoth
Switching to (another) web browser.
US-CERT
rarely goes as far as to recommend that Americans switch browsers - See
more at:
http://www.itnews.com/windows/77943/us-cert-americans-stop-browsing-ie#sthash.E8qL7M2m.dpuf
US-CERT
rarely goes as far as to recommend that Americans switch browsers - See
more at:
http://www.itnews.com/windows/77943/us-cert-americans-stop-browsing-ie#sthash.E8qL7M2m.dpuf
US-CERT
rarely goes as far as to recommend that Americans switch browsers - See
more at:
http://www.itnews.com/windows/77943/us-cert-americans-stop-browsing-ie#sthash.E8qL7M2m.dpuf
US-CERT
rarely goes as far as to recommend that Americans switch browsers - See
more at:
http://www.itnews.com/windows/77943/us-cert-americans-stop-browsing-ie#sthash.E8qL7M2m.dpuf
my recommendation
So which one would you choose?
bibliography
- http://www.itnews.com/windows/77943/us-cert-americans-stop-browsing-ie
- http://www.computerworld.com/s/article/9246877/US_CERT_urges_XP_users_to_dump_IE
-
http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being
- http://www.kb.cert.org/vuls/id/222929
- https://www.owasp.org/index.php/Using_freed_memory
- http://blogs.ixiacom.com/ixia-blog/yet-another-internet-explorer-use-after-free-exploit/
thank you for attention.
Questions?