I've been doing some digging on this/these things this evening... It seems like there are two closely related exploit-able things floating around that have surfaced in the last 24-36 hours:
CVE-2014-0515 CVE-2014-1776 (I assume I'm interpreting this correctly...) One of them (CVE-2014-0515) is a Flash exploit that could potentially target any Windows based browser, including Internet Explorer. Microsoft has released a security bulletin, etc. about this one because on Win8+ (with IE10 or above), Microsoft is "handling" Flash patching/updates. Adobe has released a seperate 0-day update/release for this as well: http://helpx.adobe.com/security/products/flash-player/apsb14-13.html However.... The second one (CVE-2014-1776) is an exploit specific to Internet Explorer (which currently leverages a vulnerable Flash to introduce the exploit on remote systems). This where things get clear as mud for me: http://blogs.technet.com/b/srd/archive/2014/04/26/more-details-about-security-advisory-2963983-ie-0day.aspx "while the vulnerability affects Internet Explorer, the exploit relies deeply on two other components to successfully trigger code execution and in particular it requires presence VML and Flash components." The aforementioned SRD post mentioned that disabling/unregistering the DLLs for VML, changing Active X/Scripting or IE Security Zones, or deploying a recent version of EMET can mitigate the issue. Symantec goes as far as providing the command to unregister the VML DLL: http://www.symantec.com/connect/blogs/zero-day-internet-vulnerability-let-loose-wild Does deploying the new version of Flash (from CVE-2014-0515) correct both issues? No one is really saying one way or the other at this point. My guess overall is "no" since exploit #2 could potentially eventually be reached via other non-Flash vectors. However, Fireeye's blog post ( http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html) says that disabling Flash will prevent the exploit. That blog post pre-dates the newest Flash release, so ... Thus far, my environment is deploying the newest Flash immediately and keeping our fingers crossed, hoping that this solution is sufficient in the meantime. On Mon, Apr 28, 2014 at 1:00 PM, Brian Mason <[email protected]> wrote: > I see CM synced and pulled 2961887 today, but it's only for Win8/8.1 and > Server12/12R2. > > > > This link mentions the patches: > https://technet.microsoft.com/library/security/2755801 > > > > - On April 28, 2014, Microsoft released an update (2961887) for > Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and > for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and > Windows RT 8.1. The update addresses the vulnerabilities described in Adobe > Security bulletin > APSB14-13<http://helpx.adobe.com/security/products/flash-player/apsb14-13.html>. > For more information about this update, including download links, see > Microsoft > Knowledge Base Article 2961887<https://support.microsoft.com/kb/2961887> > . > > *Note *Updates for Windows RT and Windows RT 8.1 are available via Windows > Update <http://go.microsoft.com/fwlink/?LinkId=21130>. > > > > > > This link must still be written as it's coming up empty for me: > https://support.microsoft.com/kb/2961887 > > > Doesn't look like this is 0-day patch everyone has been waiting for. > > > > _________________ > > Brian Mason > > MCTS, MS MVP ECM > > http://www.mnscug.org/ > > > >
