CVE-2014-1776
published 2014-04-27CVE-2014-1776: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-07-28
Exploited in the wild
EPSS
88.01%
99.7th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xC917432
- →Pirpi.2014 payload (IePorxyv.dll) checks for a configuration file at %APPDATA%\vcl.tmp or %TEMP%\vcl.tmp on startup; presence of vcl.tmp is a host-based indicator of compromise. ↗
- →Pirpi C2 communications use HTTP GET requests with encrypted data exfiltrated via the HTTP Cookie header field; network detection should inspect Cookie header contents for anomalous encrypted blobs. ↗
- →The exploit delivery mechanism embeds an encrypted payload inside an animated GIF using steganography; detection should flag animated GIF downloads from exploit-landing pages that contain embedded PE artifacts. ↗
- →Shellcode uses a rotate-right-7 (ror 7) hash algorithm on kernel32.dll export names to resolve API functions; the constant 0xC917432 identifies LoadLibraryA. Detecting ror-7 shellcode patterns or this constant is a strong indicator. ↗
- →Shellcode uses a single-byte XOR algorithm to decrypt the final payload; look for single-byte XOR decryption loops in shellcode extracted from IE exploit traffic. ↗
- →Anomalous VGX.DLL application crashes in IE were observed as a side-effect of exploitation; monitoring for VGX.DLL crash events in EDR/WER telemetry can surface exploitation attempts. ↗
- →The exploit leverages a well-known Flash exploitation technique to bypass ASLR/DEP on Windows; network detection should correlate IE process spawning Flash with subsequent shellcode execution. ↗
- →RC4 encryption is used within the CVE-2014-1776 exploit/payload to obfuscate activity; RC4 key-scheduling patterns in memory or network traffic associated with IE exploitation are a detection opportunity. ↗
- ·VGX.DLL is NOT the location of the vulnerable code; deregistering it is only an exploit-specific workaround for known attacks, not a general fix. ↗
- ·The Pirpi.2014 payload uses hardcoded C2 domains encoded inside the binary as a fallback when vcl.tmp is absent; C2 domains may vary per campaign and are not static across all samples. ↗
- ·The C2 URL structure differs between Pirpi.2014 and Pirpi.2015 variants; URL-pattern-based detection rules must account for variant-specific differences. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-44fv-7jv8-5cpp: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of servic
ghsa_unreviewed·2022-05-14
CVE-2014-1776 [HIGH] CWE-416 GHSA-44fv-7jv8-5cpp: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of servic
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."
VulnCheck
Microsoft Internet Explorer Memory Corruption Vulnerability
vulncheck·2014·CVSS 9.8
CVE-2014-1776 [CRITICAL] CWE-416 Microsoft Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2014-1776; https://cyberwarzone.com/wp-content/uploads/2019/02/ReportGlobalThreatIntelligence.pdf; https://www.recordedfuture.com/russian-apt-toolkits; https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong; https://cisa.gov/news-events/alerts/2015/04/29/top-30-targeted-high-risk-vulnerabilities; https://www.us-cert.gov/ncas/alerts/TA15-119A; htt
CISA
Microsoft Internet Explorer Memory Corruption Vulnerability
cisa·2022-01-28·CVSS 9.8
CVE-2014-1776 [CRITICAL] CWE-416 Microsoft Internet Explorer Memory Corruption Vulnerability
Vulnerability: Microsoft Internet Explorer Memory Corruption Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user.
Required Action: Apply updates per vendor instructions.
Notes: https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-021?redirectedfrom=MSDN; https://nvd.nist.gov/vuln/detail/CVE-2014-1776
Remediation Due Date: 2022-07-28
Suricata
ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1
suricata·2014-10-09·CVSS 9.8
CVE-2014-1776 [CRITICAL] ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1
ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,to_client; file.data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, confidence High, signature_severity Major, tag DriveBy, tag CISA_KEV, updated_at 2024_03_14;)
Suricata
ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption
suricata·2014-04-30
CVE-2014-1776 ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption
ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; http.uri; content:"/Generic/BEX/iexplore_exe/"; content:"/vgx_dll_unloaded/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins,
Suricata
ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2
suricata·2014-04-30
CVE-2014-1776 ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2
ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2"; flow:established,to_server; http.uri; content:"/StageOne/iexplore_exe/"; content:"/vgx_dll/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018436; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Fortinet
The Definition and Examples of Exploit Kits | Fortinet Blog
blogs_fortinet·2022-01-27
The Definition and Examples of Exploit Kits | Fortinet Blog
INDUSTRY TRENDS & INSIGHTS
The Definition and Examples of Exploit Kits
By Aamir Lakhani | January 27, 2022
In cybersecurity terminology, an exploit is a bit of code or a program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware like ransomware or viruses. The goal of exploits is to install malware or to infiltrate and initiate denial-of-service (DoS) attacks for example.
The recent exponential growth of computer peripherals, software advances, and edge and cloud computing has led to a corresponding increase in vulnerabilities. Of course, cybercriminals love having more systems to attack with exploit kits.
What Is An Exploit Kit?
Exploit kits (EKs) are automated programs used by cybercriminals to ex
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
blogs_unit42·2015-07-27·CVSS 9.8
CVE-2015-3113 [CRITICAL] UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in the Hacking Team breach that we discussed in our July 10 blog post, “APT Group UPS Targets US Government with Hacking Team Flash Exploit”. However, the most recent original zero-day released by this group is tracked by CVE-2015-3113, which has similarities to the once zero-day vulnerabilities CVE-2014-
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
blogs_unit42·2015-07-27·CVSS 9.8
CVE-2015-3113 [CRITICAL] UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
## UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
Robert Falcone
Richard Wartell
Published: July 27, 2015
Threat Research
Vulnerabilities
ActionScript
Adobe Flash
APT3
Internet Explorer
Operation Clandestine Wolf
Pirpi
Shellcode
Steganography
UPS
Zero-days
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in th
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
## Addressing CVE-2014-6332 SWF Exploit
Palo Alto Networks
Published: November 26, 2014
Threat Research
Vulnerabilities
EMET
Endpoint
Internet Explorer
Shellcode
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776 .
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776.
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the core techniques used in attacks, works well. It will prevent uses of this SWF framework, regardless of the vulnerability it is used with.
The interesting part in this expl
Unit42
Is It the Beginning of the End For Use-After-Free Exploitation?
blogs_unit42·2014-07-17·CVSS 8.8
CVE-2014-1815 [HIGH] Is It the Beginning of the End For Use-After-Free Exploitation?
Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.
To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms in the most recent Internet Explorer patches. In June, Microsoft introduced a new isolated heap mechanism to solve the usage issue of use-after-free exploitation. They followed that up In July by implementing a deferred fre
Unit42
Is It the Beginning of the End For Use-After-Free Exploitation?
blogs_unit42·2014-07-17·CVSS 8.8
[HIGH] Is It the Beginning of the End For Use-After-Free Exploitation?
## Is It the Beginning of the End For Use-After-Free Exploitation?
Tao Yan
Bo Qu
Royce Lu
Published: July 16, 2014
Malware
Threat Research
Deferred free
Internet Explorer
Isolated heap
Microsoft
Use after free
Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.
To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms
Unit42
Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
blogs_unit42·2014-06-10·CVSS 9.3
[CRITICAL] Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
Today, Microsoft patched 59 Internet Explorer vulnerabilities, 21 of them discovered by Palo Alto Networks researchers. Palo Alto Networks is committed not only to detecting attacks, but preventing them as well.
Our internal research team discovered each of these 21 vulnerabilities and reported them to Microsoft so they could begin building and testing patches. Microsoft has already credited our team with 14 previous IE vulnerabilities in 2014, bringing our total for the year up to 35. We want to acknowledge Palo Alto Networks researchers Bo Qu, Hui Gao, Royce Lu, Xin Ouyang and the entire IPS team for all of the hard work they’ve put into discovering and validating these vulnerabilities.
### Here’s what you need to know
- All 21 vulnerabilities are rated Critical because they allow for
Unit42
Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
blogs_unit42·2014-06-10·CVSS 9.3
[CRITICAL] Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
## Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
Ryan Olson
Published: June 10, 2014
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Patch Tuesday
Today, Microsoft patched 59 Internet Explorer vulnerabilities, 21 of them discovered by Palo Alto Networks researchers. Palo Alto Networks is committed not only to detecting attacks, but preventing them as well.
Our internal research team discovered each of these 21 vulnerabilities and reported them to Microsoft so they could begin building and testing patches. Microsoft has already credited our team with 14 previous IE vulnerabilities in 2014, bringing our total for the year up to 35. We want to acknowledge Palo Alto Networks researchers Bo Qu, Hui Gao, Royc
Unit42
How To Defend Against Advanced IE Exploitation
blogs_unit42·2014-06-06
How To Defend Against Advanced IE Exploitation
In February, Microsoft awarded $100,000 to Yu Yang (@Tombkeeper) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program. Yu later demonstrated his research at CanSecWest in March. In his slides, he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen (@guhe120), a Chinese researcher, posted his answer. Although the code was removed soon after posting, a copy was still maintained and used by Metasploit. Following this code, another researcher posted his VB script version using more advanced tech
Unit42
How To Defend Against Advanced IE Exploitation
blogs_unit42·2014-06-06
How To Defend Against Advanced IE Exploitation
## How To Defend Against Advanced IE Exploitation
IPS Team
Published: June 6, 2014
Malware
Threat Research
ActiveX
Flash
Internet Explorer
IPS
Microsoft
Use after free
In February, Microsoft awarded $100,000 to Yu Yang ( @Tombkeeper ) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program . Yu later demonstrated his research at CanSecWest in March. In his slides , he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen ( @guhe120 ), a Chinese researcher, posted his answer. Although
Talos
An Introduction to Recognizing and Decoding RC4 Encryption in Malware
blogs_talos·2014-06-03·CVSS 9.8
CVE-2014-1776 [CRITICAL] An Introduction to Recognizing and Decoding RC4 Encryption in Malware
## An Introduction to Recognizing and Decoding RC4 Encryption in Malware
There is something that we come across almost daily when we analyze malware in the VRT: RC4. We recently came across CVE-2014-1776 and like many malware samples and exploits we analyze, RC4 is used to obfuscate or encrypt what it is really doing. There are many ways to implement RC4 and it is a very simple, small algorithm. This makes it very common in the wild and in various standard applications. Open-source C implementations can be found on several websites such as Apple.com and OpenSSL.org.
## What is RC4? RC4 was designed by Ron Rivest of RSA Security in 1987. RC4 is a fast and simple stream cipher that uses a pseudo-random number generation algorithm to generate a key stream. This key stream can be used in an
Talos
An Introduction to Recognizing and Decoding RC4 Encryption in Malware
blogs_talos·2014-06-03·CVSS 9.8
CVE-2014-1776 [CRITICAL] An Introduction to Recognizing and Decoding RC4 Encryption in Malware
There is something that we come across almost daily when we analyze malware in the VRT: RC4. We recently came across CVE-2014-1776 and like many malware samples and exploits we analyze, RC4 is used to obfuscate or encrypt what it is really doing. There are many ways to implement RC4 and it is a very simple, small algorithm. This makes it very common in the wild and in various standard applications. Open-source C implementations can be found on several websites such asApple.com and OpenSSL.org.
### What is RC4?RC4 was designed by Ron Rivest of RSA Security in 1987. RC4 is a fast and simple stream cipher that uses a pseudo-random number generation algorithm to generate a key stream. This key stream can be used in an XOR operation with plaintext to generate ciphertext. The same key stream ca
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
### Summary
- The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163.
- The shared techniques, variable names and code structure suggest these exploits share a common author or template.
- Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full control over the system after a user views a web page in their browser. According to Microsoft, it affects versions of Internet Explorer from version 6 to 11, meaning that almost all IE users are vulnerable to this bug
Krebs
Microsoft Warns of Attacks on IE Zero-Day
blogs_krebs·2014-05-02·CVSS 9.8
CVE-2014-1776 [CRITICAL] Microsoft Warns of Attacks on IE Zero-Day
Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.
In an alert posted on Saturday, Microsoft said it is aware of “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.
Microsoft’s security advisory credits security firm FireEye with discovering the attack. In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to bypa
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
## A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
Bo Qu
Published: May 2, 2014
High Profile Threats
Threat Research
Vulnerabilities
CVE-2014-1776
Internet Explorer
Microsoft
## Summary
The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163 .
The shared techniques, variable names and code structure suggest these exploits share a common author or template.
Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full contr
Talos
Anatomy of an exploit: CVE 2014-1776
blogs_talos·2014-05-02
CVE-2014-1776 Anatomy of an exploit: CVE 2014-1776
This post is co-authored by Alex McDonnell, Brandon Stultz, Joel Esler, Patrick Mullen, Armin Pelkmann, and Craig Williams
When the Internet Explorer 0-day CVE 2014-1776 was announced, we turned to our intelligence feeds for more information. In the course of taking it apart we found a few things that were quite interesting that we wanted to share.
The first thing to notice is that even though CVE 2014-1776, which we talked about earlier this week, is an Internet Explorer vulnerability that uses Javascript to cause exploitation, there was almost no obfuscation of the code. Usually multiple layers of obfuscation are used and free javascript obfuscators are layered on top of each other to make it difficult for researchers and detection devices to identify what is happening in the code. Ins
Talos
Internet Explorer & Adobe Flash 0-Day Coverage
blogs_talos·2014-04-29·CVSS 10.0
CVE-2014-1776 [CRITICAL] Internet Explorer & Adobe Flash 0-Day Coverage
Recently several "0day" releases have come out in the security world, and the VRT has released coverage for two critical vulnerabilities, so we wanted to notify you of this coverage so you can use the SIDs to protect your environment.
Microsoft Internet Explorer 0day CVE-2014-1776.
SIDs 30794 & 30803
https://technet.microsoft.com/en-US/library/security/2963983
Adobe Flash 0day CVE-2014-0515
SIDs 30876 & 30877
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
Coverage for both of these vulnerabilities were released yesterday, April 28, 2014. The latest rule pack will provide the updates for both of these vulnerabilities.
http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_7339.html
http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_28.ht
Unit42
Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
blogs_unit42·2014-04-29·CVSS 9.8
CVE-2014-1776 [CRITICAL] Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
## Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
Scott Simkin
Published: April 29, 2014
High Profile Threats
Threat Research
Vulnerabilities
CVE-2014-1776
Cyvera
Internet Explorer
Microsoft
## Summary
Critical vulnerability ( CVE-2014-1776 ) identified in Internet Explorer, with active attacks observed in the wild
IE vulnerability could be used to exploit multiple versions of Internet Explorer, including those on Windows-XP based systems, which no longer receive security updates from Microsoft
Palo Alto Networks Threat Prevention customers are protected from exploitation of the vulnerability
Cyvera endpoint solution specializes in preventing the type of exploitation behavior used in this attack
On Saturday, Microsoft disclosed a critic
Unit42
Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
blogs_unit42·2014-04-29·CVSS 9.8
CVE-2014-1776 [CRITICAL] Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
### Summary
- Critical vulnerability (CVE-2014-1776) identified in Internet Explorer, with active attacks observed in the wild
- IE vulnerability could be used to exploit multiple versions of Internet Explorer, including those on Windows-XP based systems, which no longer receive security updates from Microsoft
- Palo Alto Networks Threat Prevention customers are protected from exploitation of the vulnerability
- Cyvera endpoint solution specializes in preventing the type of exploitation behavior used in this attack
On Saturday, Microsoft disclosed a critical vulnerability in Internet Explorer, CVE-2014-1776, affecting Internet Explorer versions 6 through 11. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been prope
Talos
Internet Explorer & Adobe Flash 0-Day Coverage
blogs_talos·2014-04-29·CVSS 10.0
CVE-2014-1776 [CRITICAL] Internet Explorer & Adobe Flash 0-Day Coverage
## Internet Explorer & Adobe Flash 0-Day Coverage
Recently several "0day" releases have come out in the security world, and the VRT has released coverage for two critical vulnerabilities, so we wanted to notify you of this coverage so you can use the SIDs to protect your environment.
Microsoft Internet Explorer 0day CVE-2014-1776. SIDs 30794 & 30803 https://technet.microsoft.com/en-US/library/security/2963983
Adobe Flash 0day CVE-2014-0515 SIDs 30876 & 30877 http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
Coverage for both of these vulnerabilities were released yesterday, April 28, 2014. The latest rule pack will provide the updates for both of these vulnerabilities.
http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_7339.html http://blog.snort.org
Krebs
Microsoft Warns of Attacks on IE Zero-Day – Krebs on Security
blogs_krebs·2014-04-01·CVSS 9.8
CVE-2014-1776 [CRITICAL] Microsoft Warns of Attacks on IE Zero-Day – Krebs on Security
Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.
In an alert posted on Saturday, Microsoft said it is aware of “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.
Microsoft’s security advisory credits security firm FireEye with discovering the attack. In its own advisory , FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to byp
Recorded Future
Tracking the Clandestine Fox
blogs_recorded_future·CVSS 8.1
CVE-2014-1776 [HIGH] Tracking the Clandestine Fox
## Tracking the Clandestine Fox
## Analysis Summary
FireEye Research Labs reports targeted attacks using a new IE zero-day against defense and financial services.
Early details on malware in the wild and threat actor behind it are slight.
FireEye links to Pirpi provide an interesting clue, while Websense analysis of IE crashes points in a different direction.
## The Vulnerability: Internet Explorer CVE-2014-1776
Last Saturday, FireEye Research Labs flagged an Internet Explorer (IE) zero-day being actively exploited in targeted attacks . This Microsoft Internet Explorer vulnerability, CVE-2014-1776 , broadly impacts IE versions from 6 through 11, and is trending strongly in open source.
CVE-2014-1776 is the highest profile vulnerability yet to hit Windows XP, which recently passed ou
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Recorded Future
Tracking the Clandestine Fox
blogs_recorded_future·CVSS 8.1
CVE-2014-1776 [HIGH] Tracking the Clandestine Fox
# Tracking the Clandestine Fox
### Analysis Summary
- FireEye Research Labs reports targeted attacks using a new IE zero-day against defense and financial services.
- Early details on malware in the wild and threat actor behind it are slight.
- FireEye links to Pirpi provide an interesting clue, while Websense analysis of IE crashes points in a different direction.
### The Vulnerability: Internet Explorer CVE-2014-1776
Last Saturday, FireEye Research Labs flagged an Internet Explorer (IE) zero-day being actively exploited in targeted attacks. This Microsoft Internet Explorer vulnerability, CVE-2014-1776, broadly impacts IE versions from 6 through 11, and is trending strongly in open source.
CVE-2014-1776 is the highest profile vulnerability yet to hit Windows XP, which recently passed
Threat Intel
APT3 (APT3, Gothic Panda, Pirpi)
threat_intel·CVSS 9.8
[CRITICAL] APT3 (APT3, Gothic Panda, Pirpi)
# Threat Actor Profile: APT3
ATT&CK ID: G0022
Also known as: APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Suspected origin: China
## Overview
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)
## Techniques (TTPs)
### Initial Access
- T1566.002 Spearphishing L
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Casting exploit analysis as a Weird Machine reconstruction problem
arxiv_fulltext·2021-09-27
Casting exploit analysis as a Weird Machine reconstruction problem
Casting exploit analysis as a Weird Machine reconstruction problem
Robert Abela and
Mark Vella
Department of Computer Science
University of Malta\ , Malta
Email: \Robert.Abela.15, Mark.Vella\@um.edu.mt
\@captypetable
## Abstract
Exploits constitute malware in the form of application inputs. They take advantage of security vulnerabilities inside programs in order to yield execution control to attackers. The root cause of successful exploitation lies in emergent functionality introduced when programs are compiled and loaded in memory for execution, called `Weird Machines' (WMs). Essentially WMs are unexpected virtual machines that execute attackers' bytecode, complicating malware analysis whenever the bytecode set is unknown. We take the direction that WM bytecode is best understood a
http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspxhttp://secunia.com/advisories/57908http://securitytracker.com/id?1030154http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.htmlhttp://www.kb.cert.org/vuls/id/222929http://www.osvdb.org/106311http://www.securityfocus.com/bid/67075http://www.signalsec.com/cve-2014-1776-ie-0day-analysis/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-021https://technet.microsoft.com/library/security/2963983http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspxhttp://secunia.com/advisories/57908http://securitytracker.com/id?1030154http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.htmlhttp://www.kb.cert.org/vuls/id/222929http://www.osvdb.org/106311http://www.securityfocus.com/bid/67075http://www.signalsec.com/cve-2014-1776-ie-0day-analysis/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-021https://technet.microsoft.com/library/security/2963983https://www.vicarius.io/vsociety/posts/cve-2014-1776-use-after-free-vulnerability-in-microsoft-internet-explorer-detection-scripthttps://www.vicarius.io/vsociety/posts/cve-2014-1776-use-after-free-vulnerability-in-microsoft-internet-explorer-mitigation-scriptshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-1776
2014-04-27
Published
2022-01-28
Added to CISA KEV
Exploited in the wild