'Lockdown' exploit prevented in Internet Explorer accessing Sharepoint site?

I've been working with Sophos support on this issue for the past couple of weeks as we still don't have a specific resolution at this time. The issue that we see is that sites in question are invoking "VBScript God Mode."

Here's the most recent information I have from Sophos Support:

----

Mitigation   Lockdown

Platform     6.1.7601/x64 v731 06_3a
PID          11124
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

VBScript God Mode

... Specific details from our Event Log deleted ...

It should not be allowed as an exploit, as there is no reason to trigger this outside an exploit scenario. It uses an array allocation issue to break out of VBscripts sandbox in the browser and access the full operating system without any protections.

Page 8 of our Exploit's Explained guide discusses this vulnerability:

secure2.sophos.com/.../Comprehensive-Exploit-Prevention.pdf

VBScript God Mode On Windows:

VBScript can be used in browsers or the local shell. When used in the browser, the abilities of VBScript are restricted for security reasons. This restriction is controlled by the safemode flag. If this flag is modified, VBScript in HTML can do everything as though it’s in the local shell. Consequently, attackers can easily write malicious code in VBScript. Manipulating the safemode flag on VBScript in the web browser is known as God Mode3. As an example, an attacker can modify the safemode flag value by leveraging the CVE- 2014-6332 vulnerability4, a bug caused by improper handling while resizing an array in the Internet Explorer VBScript engine. In God Mode, arbitrary code written in VBScript can break out of the browser sandbox. Thanks to God Mode, data execution prevention (DEP), address space layout randomization (ASLR), and control-flow guard (CFG) protections are not in play. Vendors supporting this mitigation technique: Sophos Intercept X, Microsoft EMET, Malwarebytes Anti-Exploit

It is not recommended to exclude this, but to have the vendor look at their code, as this is a very well-known vulnerability, and very difficult to trigger by accident.

In any-case, the it's not scripted as God Mode as such, but as 'Safe Mode flag' (CVE-2016-6332). By default, the usage of VBScript functionality in browsers is restricted. This restriction is a controlled by ‘safemode’ flag. The default value of ‘safemode’ flag is always ‘0xE’. If the default value of ‘safemode’ flag is changed then using VBScript, malicious activity can be performed. Controlling of ‘safemode’ flag using VBScript in web browsers has been called ‘GodMode’. Thus, this exploit is famously known as ‘GodMode’ exploit.

As I mentioned above, we do not recommend setting up exclusions to get around these exploits, however here are some workaround options you could implement (in order of most to least preffered), until this is resolved in the website code:

1-The best option would be to exclude the detected exploits, Lockdown in this case. This is the recommended way to implement an exploit exclusion, however in this case it may not be feasible. The reason I say this is, in this case the Sophos identifier for each detection ( called a Thumbprint) is different on each URL visited. So, if these full URLs would change often, you would need to do another exclusion often as well. If however, you only have the few URLs that you access than this would be the best way to go.

2-Excluding Web browsers in the Threat policy, Settings under Mitigate exploits in vulnerable applications, un-check Protect Web Browsers. This can be implemented in a policy that triggers only specific users.

3-The other option, that is a global setting affecting all your users, is to exclude the browser processes via: System Settings -> General Settings -> Exploit Mitigation Exclusions

Turn off Compatibility mode

Step 1:

For IE 10 users:

Open up Internet Explorer (IE 10)

Click on the Tools menu tab

Select the Compatibility View settings option

For IE 11 users:

Open up Internet Explorer (IE 11)

Press the Alt key on your keyboard, this will make a menu bar appear

Click on the Tools menu tab

Select the Compatibility View settings option

Step 2:

If you are using IE 10, you will get the following "Compatibility View Setting" page

Uncheck the "Display all websites in Compatibility View" option

Uncheck the "Display intranet sites in Compatibility View" option

Do not add GMS or Analyzer URL to the Compatibility View box

If you are using IE 11, you will get the following "Compatibility View Setting" page

In IE 11, the  "Display all websites in Compatibility View" option is not available

Uncheck the "Display intranet sites in Compatibility View" option

Do not add GMS or Analyzer URL to the Compatibility View box

So with this issue, adding the URL experiencing the lockdown exploit to IE’s Trusted Sites in Internet Options is a viable option in helping to resolve and allow access to this particular site. Scanning will continue however and anything outside of these that triggers an alert will be flagged.

There is a fix on the horizon as this does only effect IE as far as we can tell, and mainly only Windows 10 computers. The fix from what I have been told by our GES / Development team is due out in Q2 -2018, as they have to write additional code to address this.

As for the fix you have in place, this can be continued to be used safely at this stage, and is approved by our Development team.

----

I've been working with Sophos support on this issue for the past couple of weeks as we still don't have a specific resolution at this time. The issue that we see is that sites in question are invoking "VBScript God Mode."

Here's the most recent information I have from Sophos Support:

----

Mitigation   Lockdown

Platform     6.1.7601/x64 v731 06_3a
PID          11124
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

VBScript God Mode

... Specific details from our Event Log deleted ...

It should not be allowed as an exploit, as there is no reason to trigger this outside an exploit scenario. It uses an array allocation issue to break out of VBscripts sandbox in the browser and access the full operating system without any protections.

Page 8 of our Exploit's Explained guide discusses this vulnerability:

secure2.sophos.com/.../Comprehensive-Exploit-Prevention.pdf

VBScript God Mode On Windows:

VBScript can be used in browsers or the local shell. When used in the browser, the abilities of VBScript are restricted for security reasons. This restriction is controlled by the safemode flag. If this flag is modified, VBScript in HTML can do everything as though it’s in the local shell. Consequently, attackers can easily write malicious code in VBScript. Manipulating the safemode flag on VBScript in the web browser is known as God Mode3. As an example, an attacker can modify the safemode flag value by leveraging the CVE- 2014-6332 vulnerability4, a bug caused by improper handling while resizing an array in the Internet Explorer VBScript engine. In God Mode, arbitrary code written in VBScript can break out of the browser sandbox. Thanks to God Mode, data execution prevention (DEP), address space layout randomization (ASLR), and control-flow guard (CFG) protections are not in play. Vendors supporting this mitigation technique: Sophos Intercept X, Microsoft EMET, Malwarebytes Anti-Exploit

It is not recommended to exclude this, but to have the vendor look at their code, as this is a very well-known vulnerability, and very difficult to trigger by accident.

In any-case, the it's not scripted as God Mode as such, but as 'Safe Mode flag' (CVE-2016-6332). By default, the usage of VBScript functionality in browsers is restricted. This restriction is a controlled by ‘safemode’ flag. The default value of ‘safemode’ flag is always ‘0xE’. If the default value of ‘safemode’ flag is changed then using VBScript, malicious activity can be performed. Controlling of ‘safemode’ flag using VBScript in web browsers has been called ‘GodMode’. Thus, this exploit is famously known as ‘GodMode’ exploit.

As I mentioned above, we do not recommend setting up exclusions to get around these exploits, however here are some workaround options you could implement (in order of most to least preffered), until this is resolved in the website code:

1-The best option would be to exclude the detected exploits, Lockdown in this case. This is the recommended way to implement an exploit exclusion, however in this case it may not be feasible. The reason I say this is, in this case the Sophos identifier for each detection ( called a Thumbprint) is different on each URL visited. So, if these full URLs would change often, you would need to do another exclusion often as well. If however, you only have the few URLs that you access than this would be the best way to go.

2-Excluding Web browsers in the Threat policy, Settings under Mitigate exploits in vulnerable applications, un-check Protect Web Browsers. This can be implemented in a policy that triggers only specific users.

3-The other option, that is a global setting affecting all your users, is to exclude the browser processes via: System Settings -> General Settings -> Exploit Mitigation Exclusions

Turn off Compatibility mode

Step 1:

For IE 10 users:

Open up Internet Explorer (IE 10)

Click on the Tools menu tab

Select the Compatibility View settings option

For IE 11 users:

Open up Internet Explorer (IE 11)

Press the Alt key on your keyboard, this will make a menu bar appear

Click on the Tools menu tab

Select the Compatibility View settings option

Step 2:

If you are using IE 10, you will get the following "Compatibility View Setting" page

Uncheck the "Display all websites in Compatibility View" option

Uncheck the "Display intranet sites in Compatibility View" option

Do not add GMS or Analyzer URL to the Compatibility View box

If you are using IE 11, you will get the following "Compatibility View Setting" page

In IE 11, the  "Display all websites in Compatibility View" option is not available

Uncheck the "Display intranet sites in Compatibility View" option

Do not add GMS or Analyzer URL to the Compatibility View box

So with this issue, adding the URL experiencing the lockdown exploit to IE’s Trusted Sites in Internet Options is a viable option in helping to resolve and allow access to this particular site. Scanning will continue however and anything outside of these that triggers an alert will be flagged.

There is a fix on the horizon as this does only effect IE as far as we can tell, and mainly only Windows 10 computers. The fix from what I have been told by our GES / Development team is due out in Q2 -2018, as they have to write additional code to address this.

As for the fix you have in place, this can be continued to be used safely at this stage, and is approved by our Development team.

----

We are getting this on some important sites since our last windows update deployment over the weekend. I can tell you this.

Adding the website as a scanning exclusion does not work.

Adding the Lockdown exploit for Internet explorer does not work.

The next thing I am left trying is to exclude IE all togther, which is not a viable option.

I'd rather not add IE as an exclusion either

Hi all, below is the response i've had from Sophos Support regarding the Windows Updates issue:

Hello Jay,

My name is John Goulthorp from the Global Escalation Support team at Sophos.

The issue you've raised with a VBScript God Mode mitigation is something we're fixing in the upcoming release of Intercept X. Current plan for release is late April.

In the meantime, to prevent the detections you can add the site that triggers the detection to the 'Local intranet' zone in IE.

Regards,

John Goulthorp
Sophos Technical Support

Hope this helps.