The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2014-012

DATE(S) ISSUED:
2/11/2014

SUBJECT:
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)

OVERVIEW:

This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visited a specially crafted website. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

SYSTEMS AFFECTED:

  • Internet Explorer 10
  • Internet Explorer 9
  • Internet Explorer 8
  • Windows XP (all editions)
  • Windows Server 2003 (all editions)
  • Windows Vista (all editions)
  • Windows Server 2008 (all editions)
  • Windows Server 2008 R2 (all editions)
  • Windows Server 2012 and Windows Server 2012 R2 (all editions)
  • Windows RT and Windows RT 8.1 (all editions)

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
In a web-based attack scenario, an attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use scripting to exploit this vulnerability. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

REFERENCES:
Microsoft:

http://technet.microsoft.com/en-us/security/bulletin/MS14-011

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0271

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS