Symantec is aware of a zero-day vulnerability (CVE-2014-1776) that affects all Internet Explorer versions.
Microsoft released recently a security advisory about an Internet Explorer vulnerability (2963983), citing that the security hole was leveraged in limited targeted attacks. There is currently no patch available for this vulnerability and the vendor did not provide yet a release date for a patch.
Our internal testing with Windows XP confirmed the vulnerability returning an Internet Explorer crash. This should remark that especially XP users are not safe anymore and this is the first vulnerability that will be not patched for their system. The same users should be already aware that Windows XP support ended on April 8th, 2014 and Microsoft no longer provides patches against new security holes affecting the XP operating systems. One good note is that, according to Microsoft, EMET 4.1 and later versions can block the vulnerability to be exploited. Windows XP users can benefit of EMET 4.1 which is supported on Windows XP. Other alternative mitigation includes temporarily switching to a different Web browser until the patches are provided by the vendor.
Symantec protects customers against this attack with the following detections:
Intrusion Prevention Signatures
- Web Attack: MSIE Use After Free CVE-2014-1776
We will update this blog with additional information as soon as it will be available.