cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 31 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

No issues here with the extra.dat; about 40,000 nodes.   But as mentioned above, I am not even sure at this point if the extra.dat applies/works/effective with VSE.  Still waiting for a response from our account rep on that one.

malware-alerts
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 32 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

The blog about this was corrected since I last complained to our SAM:

https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1776-microsoft-internet-ex...

  • McAfee VirusScan     (AV):  The 7423     DATs (release date April 29, 2014) provide coverage for perimeter/gateway     products and the command-line scanner-based technologies.  Full     detection capabilities, across all products, will be released in the 7428     DAT update (release date May 4, 2014).
malware-alerts
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 33 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

Part 1: it's an IE / MS issue, you should put your money on that

on 4/30/14 5:04:25 AM CDT

The underlying issue is with the legacy VML. Unregistering VGX.DLL does the trick until an MS security update comes out. Only problem is: you'll need the re-register VGX.DLL to apply the update when MS releases it.

The way to exploit it is a well-known method using vulnerable Flash:

http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-d...

Patch flash to v13.0 on Windows and you break the current method of exploit, it buys you some time until the full protection is available from McAfee.

Message was edited by: malware-alerts on 4/30/14 10:54:31 AM CDT
Former Member
Not applicable
Report Inappropriate Content
Message 34 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

Until the DAT comes out, HIPS signature 428, Generic Buffer Overflow, will catch this activity if it occurs.  By default that's a HIGH signature.  A simple Threat Event query with the filter set to look for buffer in the Signature Name (Host IPS) will show you any hits.

Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 35 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

Microsoft are issuing an emergency update to address this vulnerability.

ALL versions of windows will receive this fix. Including XP.

https://technet.microsoft.com/library/security/ms14-may.aspx

Former Member
Not applicable
Report Inappropriate Content
Message 36 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

kenobe, how did you get this information about sig 428?  Did McAfee Support tell you or did you have the exploit in your environment.

If you have it in your environment, can you post the HIPS event, I would like to see the IPS Parameter and IPS Parameter value.

did you track this back to specific website?   thx for the info.

Former Member
Not applicable
Report Inappropriate Content
Message 37 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

I got the info about the HIPS event description from here:

http://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1776-microsoft-internet-exp...

Looked up Generic Buffer Overflow in the McAfee Default IPS rules - 428. 

I haven't seen it at my site but can post info if I do before the eventual patch is applied.

Former Member
Not applicable
Report Inappropriate Content
Message 38 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

Ya...none of my sources have released the 7423 as of yet....

Former Member
Not applicable
Report Inappropriate Content
Message 39 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

The exploit for cve 2014-1776 uses a malicious swf file to leverage vxg.dll to write to memory space.

malware-alerts
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 40 of 59

Re: cve 2014-1776 IE Zero Day Exploit - Any News from McAfee??

Applying the latest flash update (13.0.0.206) works, basically closes the bridge needed to exploit CVE-2014-1776.

Message was edited by: malware-alerts on 4/28/14 2:25:04 PM CDT

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community