On December 19, 2018, Microsoft announced CVE-2018-8652 which details a remote code execution vulnerability affecting Internet Explorer. Using a specially designed Website, an attacker could exploit this vulnerability to take control of a remote system, including reading and writing data and creating user accounts.
While this vulnerability is known to have been exploited prior to the public announcement, customers running Symantec Endpoint Protection 14.0 RU1 or later had zero-day protection against this exploit if they had Memory Exploit Mitigation (MEM) configured in their environment. MEM provides protection against this exploit through the following mitigation techniques:
RopCall — Ensures that system critical APIs are called from the call instructions and not from the existing RET instructions or jump instructions.
RopHeap — Denies the calls to memory protection APIs to the heap that is then executed using the return instruction.
All SEP customers, including those running versions of SEP prior to 14.0 RU1, are now protected against the vulnerability using newly published heuristic detection and IPS signatures (Exp.CVE-2018-8653 and Web Attack: Microsoft Internet Explorer CVE-2018-8653 Activity). Symantec advises customers that the best way to ensure zero-day protection against similar attacks is to deploy the latest version of SEP and to enable all protection capabilities. It is also recommended to apply all vendor patches as soon as possible.