Symantec is aware of reports of a zero-day vulnerability (CVE-2014-1776) that affects all versions of Internet Explorer.
Microsoft released a security advisory (2963983) about a vulnerability in Internet Explorer that is being leveraged in limited targeted attacks. There is currently no patch available for this vulnerability and Microsoft has not at the time of writing provided a release date for one.
Our testing confirmed that the vulnerability crashes Internet Explorer on Windows XP. This will be the first zero day vulnerability that will not be patched for Windows XP users, as Microsoft ended support for the operating system on April 8th, 2014. However, Microsoft states that versions of the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above can mitigate this vulnerability in Internet Explorer and is available for Windows XP users. Besides using EMET, Symantec Security Response encourages users to temporarily switch to a different Web browser until a patch is made available by the vendor.
Symantec protects customers against this attack with the following detections:
Antivirus
- Bloodhound.Exploit.552
Intrusion Prevention Signatures
- Web Attack: MSIE Use After Free CVE-2014-1776
We will update this blog with additional information as soon as it will be available.