Monday, April 28, 2014

How to mitigate the not-to-be-patched IE zero-day for Windows XP

So, after the XPocalypse, we have the first "critical" vulnerability that is currently exploited in the wild that affects all currently support version of IE. The CVE given to the vulnerability is CVE-2014-1776 and the Microsoft Security Advisory is 2963983.

As expected, there is no mention of Windows XP in the Security Advisory. This really is a first.

However, since there is no patch out anyway for currently supported Windows operating systems, both the consumer and server flavors, could the workarounds mentioned be used for Windows XP?

So, here is the list of workarounds (for more details you could go to the Security Advisory page):
  • Deploy EMET 4.1. EMET adds additional protection layers making exploitation harder.
  • Set the Internet and Local Interanet zone settings to High. This will block ActiveX and Active Scripting.
  • Configure IE to prompt before running ActiveX and Active Scripting in the above zones.
  • Unregister the VGX.dll. This will break VML rendering.
    • Do this by running in the Run window the following command: "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
  • Modify the ACL on the VGX.dll to a more restrictive setting.
  • Enable Enhanced Protected Mode for IE 11.

All of the above are valid options for Windows XP. I would choose the fourth option. I didn't even know IE had VML support (especially older IE versions). Don't think anyone is going to be missing that.

So, no need to panic. At least this time. Although, you could install a different browser altogether which will have VML support and not be susceptible to the exploit.

The real takeaway though from this vulnerability is the amount of hype it got. As we have seen again and again, it's more about the headlines and less about the actual danger.

The real danger is what happens when an actual vulnerability exists where no workaround is possible? If we keep shouting "The sky is falling" for each critical but easily mitigated vulnerability that affects XP, then the really nasty ones will slip through the cracks. Let's not forget, we are really trying to protect casual users, that have no idea what a vulnerability is, much less how to apply workarounds and mitigations. They won't pay attention after the third (if that) time we blow things out of proportion.

Let's all spend our valuable time and effort to educate rather than scare

P.S. Getting patches does not mean being safer (Just google heartbleed).

No comments: