Update: 6th August 2015:
Sorry for not updating this post sooner. According to two separate new articles here and here, only one of these zero day flaws affected the desktop version of IE (installed on workstations, laptops and servers). This flaw ZDI-15-359 has been previously patched by Microsoft. In addition, the remaining three flaws affect the version of IE bundled with Windows Phones. A smaller number of Windows Phone users are affected than the number of devices that run the desktop version of IE; however Windows Phone users should monitor for an update to their phone’s software that should resolve these remaining security issues.
In addition, while these issues were publically disclosed in July, exact details of the issues were not provided in the above linked to advisories by ZDI. Public disclosure usually means all details are disclosed but in this case the right decision of not to publish exact details should help reduce the risk to users until these remaining issues are patched.
Between late 2014 and early 2015 HP’s Zero Day Initiative (ZDI) responsibly disclosed (defined) 4 security vulnerabilities within Internet Explorer (IE) to Microsoft. In all 4 of the disclosures, Microsoft investigated and provided information regarding an expected build/version of IE that would resolve these issues but in all cases, no expected date for this updated build was provided. ZDI notified Microsoft of their intention to disclose details of these flaws publically following the end of a 120 day deadline.
For each of these 4 security vulnerabilities disclosed by ZDI, each must be exploited by a user visiting a compromised legitimate website (as seen in watering hole attacks) or a website specifically designed to exploit these flaws.
What Can I Do To Defend Myself From These Unpatched Issues?
- A suggestion that does not cost any funds and is easy to implement would be to use another web browser until these issues are patched e.g. Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices.
- Use caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.
- Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
- When Windows 10 is released next week, consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws (3 of these flaws are use-after-flaws (defined)) and would not be vulnerable to these issues since Edge is based on a separate codebase to IE (Edge is a development fork of IE). For more background information regarding Microsoft Edge, please see a previous blog post of mine.
- Each of the ZDI advisories (linked to below) include disabling Active Scripting within IE. While this is an effective mitigation, it may affect the reliable display of the websites that you visit.
The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).
I will update this post should more information on mitigations for these issues become available or any further information is shared regarding when these issues may be patched.
Links to the 4 advisories published by ZDI are shown below:
ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability
ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability
ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability
ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability