Summary: On April 26, 2014, Microsoft released a Security Advisory (2963983) to notify customers of a vulnerability in IE.  At this time we are aware of limited, targeted attacks.  We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.

Guidance on suggested mitigations:

Our investigation has revealed that Enhanced Protected Mode, on by default for the modern browsing experience in IE10 and IE11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, could help protect against this potential risk.  We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.

The Enhanced Mitigation Experience Toolkit 4.1:
(EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit.  EMET 4.1 is supported by Microsoft, and is automatically configured to help protect Internet Explorer.  EMET can also be configured using Group Policy.  For more information, see Microsoft Knowledge Base Article 2458544.

More details:

·         Deploy the Enhanced Mitigation Experience Toolkit 4.1

    • Pros:  Blocks potential exploits of this vulnerability
    • Cons:  May be incompatible with some web apps

·         Enable Enhanced Protected Mode

Clarifying the IE Enhanced Protected Mode workaround

We also received questions about the Internet Explorer Enhanced Protected Mode workaround. Enhanced Protected Mode will help protect 64-bit Internet Explorer users from this attack. There is a difference between Internet Explorer 10 and Internet Explorer 11 that led to some confusion. Internet Explorer 10 has one setting to enable and Internet Explorer 11 has two settings to enable. The 64-bit aspect of Internet Explorer is a key element of this workaround as the heap spray attack is not effective in 64-bit address space, leading to a failed exploit. Enhanced Protected Mode alone on 32-bit Internet Explorer 11 is not effective in blocking the attack. The screenshots below illustrate the Internet Explorer 10 versus Internet Explorer 11 “checkbox” differences:

IE10 64bit EPM (one setting to mitigate) IE11 64bit EPM (two settings to mitigate)

o   Pros: Blocks potential exploits of this vulnerability

o   Cons:  May be incompatible with some web apps; not available on 32-bit Windows 7

Businesses who have upgraded to IE11 or IE10 can enable Enhanced Protected Mode (EPM) for additional security protection.   On Windows 8 and Windows 8.1, EPM is enabled by default for the modern, immersive browsing experience.  Customers using the touch-friendly IE11 browser on Windows tablets, for example, are already using EPM and may not be susceptible to this and similar attacks.   

Enhanced Protected Mode can be enabled and managed through Group Policy.  To manually enable EPM in IE, perform the following steps:

1.       On the IE Tools menu, click Internet Options.

2.       In the Internet Options dialog box, click the Advanced tab, and then scroll down to the Security section of the settings list.

3.       Ensure the checkboxes next to Enable Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode (for 64-bit systems) are selected.

4.       Click OK to accept the changes and return to IE.

5.       Restart your system.

While Enhanced Protected Mode provides significant additional protection, it may not be compatible with some add-ons and enterprise web apps.  Also, while EPM is available for 64-bit Windows 7, it is not an option for 32-bit Windows 7 installations. 

·          Unregister VGX.DLL

o   Pros:  Relatively simple workaround

o   Cons:  May not protect against other exploits

Known attacks currently take advantage of VGX.DLL, which provides support for Vector Markup Language (VML).  VML is not natively supported by most web browsers today, so this remediation option may have the least impact on enterprise web app compatibility. 

To unregister VGX.DLL:

·         Click Start, click Run, and type “%SystemRoot%\System32\regsvr32.exe” /u /s “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

·         After an update has been released and installed, you can re-register VGX.DLL with:  “%SystemRoot%\System32\regsvr32.exe” /s “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

·         These commands can be issued as batch files via Microsoft System Center Configuration Manager or other infrastructure management solutions. 

For more information on these and other remediation options, please see Security Advisory 2963983.  Additional information on this limited, targeted attack can be found on the MSRC blog


IE is widely recognized as the most secure browser against socially-engineered malware, the most common form of attack, blocking 99.9% of malware in a recent NSS Labs test


We encourage you to consider upgrading to the latest version of IE for improved security features such as Enhanced Protected Mode, better backward compatibility through Enterprise Mode, increased performance, and support for the modern web standards that run today’s websites and services.


Category: How to do
Published: 5/1/2014 10:01