That was quick! Microsoft patches the "1776" hole in Internet Explorer

Filed Under: Featured, Internet Explorer, Malware, Microsoft, Security threats, Vulnerability, Windows

Remember the Internet Explorer (IE) zero-day bug that made the headlines a few days ago?

It went by the nerdy name of CVE-2014-1776, which ended up being surprisingly memorable in North America, because 1776 is the year of US independence.

Sadly, the problem first came to light as the result of a real-world attack.

In other words, cybercriminals found and exploited the bug before the good guys knew about it.

(That's why it's called a zero-day, because even a well-prepared user would have had zero days to install the patch, because there wasn't one.)

Fortunately, the Bad Guys went for what Microsoft called "limited targeted attacks", meaning that the crooks didn't pump out booby-trapped web links indiscriminately, choosing instead to focus on a small set of (undisclosed) victims.

That means most of us got some sort of advance warning, together with numerous temporary measures, known as workarounds, giving us a way to protect ourselves while we waited for a proper fix.

→ Whether to attack the whole world or to zoom in on a specific victim depends on the motivation of the attackers. If the goal is to distribute a new strain of zombie malware far and wide, an untargeted attack will give the broadest results before a patch is available. But if the goal is industrial espionage, for instance, then attacking everyone in the hope of breaching a specific company might result in a patch coming out in time to save the intended victim.

The attacks actually seen in the wild targeted IE 9, 10 and 11; they also relied on a Flash file to help the attack along, and an IE extension from Microsoft called VGX.DLL used for vector graphics rendering.

So, although the cybercrooks were not using any bugs in Flash or in VGX.DLL, they relied on both components being available, so turning off either of them prevented the attacks from working.

Of course, there are two reasons why this sort of protection can only be considered partial and temporary:

  • If you need Flash or vector graphics rendering, you have lose functionality in order to improve safety.
  • The bug exists in all versions of IE, and so other ways of exploiting it, with or without Flash and VGX.DLL, might yet be found.

So, here is the good news.

Microsoft has issued a security bulletin announcing the immediate availability of a fix that closes this hole.

That means you won't have to wait until next Patch Tuesday for an update.

The bottom line is:

  • All versions of IE on all versions of Windows contain a security hole that could allow cybercriminals to implant malware on your computer with little or no warning.
  • Microsoft has published a security update that closes this hole so it can no longer be used to attack your computer.
  • We recommend you get the update as soon as possible if you haven't already.
  • Go to Control Panel | Windows Update if you aren't sure where to start.

One last thing is that even XP users can get this update, which applies to IE versions from IE 6 to IE 11, rather than to Windows itself.

That's a big mercy for those sticking to XP, for whom this attack would otherwise remain a zero-day forever.

PS. Microsoft's decision to help out XP users and to patch right back to IE6 is not an excuse to put off your upgrade. This largesse from Redmond won't go on forever, and by leaving yourself at risk, you risk harming the rest of us while you're about it. Find out why:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

, , , , , , , , , ,

You might like

18 Responses to That was quick! Microsoft patches the "1776" hole in Internet Explorer

  1. Steve · 524 days ago

    You're not mistaken- it's definitely available for Windows XP:

    There's a sentence or two telling why XP was included.

    • Paul Ducklin · 524 days ago

      Thanks for that...I reworded my final remarks (to be more definitive) and included a link to Microsoft's article saying, "Well, yeah, we did you XPers a favour, now you mention it" :-)

      Then, having done that, I felt impelled to add a final remark to my final remark saying, "Because it's a favour from Microsoft, don't dine out on it for too long!"

  2. Pat · 524 days ago

    Will Windows Update install this patch on an XP system, or does the user have to download and install it manually?

    • Paul Ducklin · 524 days ago

      Calling all XP users...anyone still using XP (you may remain anonymous :-), can you comment here?

      • Mex · 523 days ago

        Just turn automatic updates on and it will appear in the lower right corner.

        "Anonymous" a nice way to put it, lol

      • Anonymous · 523 days ago

        What, you think someone reading this blog is still using XP attached to a network? :-)

        All the articles I've seen about it imply that the update will be automatic for XP users. Of course, any users who disabled the Windows Update check ("Well, I'm not going to get any more of these, so no reason to check anymore") will have to re-enable it. And anyone who is concerned can always force the check (it doesn't hurt).

        • Paul Ducklin · 523 days ago

          What he/she said.

        • MikeP · 523 days ago

          Yes! There are probably millions of XP users still and a great majority will be connected to a network, even if only a home network.

      • Anonymous · 523 days ago

        Yes, I use Win7 but still have an old XP, just turned it on and the new patch was delivered fast, already installed it.

      • Jasper · 523 days ago

        I am XP user, XP's the best. I was using win7&8 for years, then I had to use XP. When I tried it, it was amazing! XP4EVER. Will need to go back to 7 because of security and stuff. Many programs will not work on xp too... :(

        • Mang · 523 days ago

          I can't say I disagree with you.
          I miss XP. Vista/7/8 just ain't as good.

          8 could be really good if it wasn't for the stupid interface/annoying things where clicking back takes you somewhere entirely differently.

    • MikeP · 523 days ago

      If you have Automatic Updates set up, it will do it today. If you have set XP to manual (which I have recommended for years so you don't get unwanted junk), then run Windows update yourself and it will be offered to all XP users. That's what I've just done on my VM version of XP Pro.

  3. Tony · 523 days ago

    WIndows 7 user - 32 or 64 bit updates gave - Incorrect verion error
    Could not even uninistall IE (8) - never used -
    Does not appear in Programs & Fetures / Installed updates

    • Jim · 523 days ago

      IE 8 is baked into Windows 7. You CAN uninstall it, but you have to click on "Turn Windows features on or off" in the left nav bar.

  4. Bob · 523 days ago

    I am an XP user. Would everybody stop trying to make me feel bad about that? Actually I run W7-64, but under that I have 4 XP virtual machines. My clients use different VPN managers and they don't play nicely together. A couple of days ago I had to give one of their IT support staff remote control and I was very pleased to be handing over access to an almost empty VM, rather than all my personal, business and client data. (Yes, I have integration turned off in the VM. Also I don't use it for browsing, just the VPN.)

    So unless W7 VM licences are now free, I think I'll stick with XP, if that's OK with you :-). Or is there a better way?

  5. I have this weird set up at my house where the internet is routed into a windows XP computer, and routed out to wifi. It's weird because the computer is always "off" but the wifi still goes through the computer somehow. The question I've been asking is whether or not we're effected by the phasing out of XP as the computer's essentially a big clunky wire.

    • Jim · 523 days ago

      You probably want to eliminate that configuration. It probably dates to an era where XP was a decent "firewall". But, that was a long time ago.

      I recommend you buy a good firewall/router/wireless device. You can find them for $50 - $300, and the $50 end is still quite good.

      Keep the firmware in the router up to date. This should be the first thing you do with it after connecting the cables. Instructions should be in the manual.

    • Paul Ducklin · 522 days ago

      If, when you say the computer is "off", you mean that it is actually powered down and not running at all, then it is redundant. You should disconnect it and remove it from the equation in case anyone ever turns it on and exposes it to the myriad risks of the internet.

      If you mean that it is turned on, and running XP, but no-one is logged in (in other words, it's acting as a server), then it is a liability. You should disconnect it and replace it with a more purposeful firewall/router, as suggested by the previous commenter.

      If you are unconvinced by, or unware of, what the End of XP means for you (and for everyone else around you online), you might want to listen to the podcast at the end of the article.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog