Microsoft Security Advisory 2963983
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: April 26, 2014General Information
Executive Summary
Microsoft is aware of limited, targeted attacks that attempt to
exploit a vulnerability in Internet Explorer 6, Internet Explorer 7,
Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and
Internet Explorer 11. The vulnerability is a remote code execution
vulnerability. The vulnerability exists in the way that Internet
Explorer accesses an object in memory that has been deleted or has not
been properly allocated. The vulnerability may corrupt memory in a way
that could allow an attacker to execute arbitrary code in the context
of the current user within Internet Explorer. An attacker could host a
specially crafted website that is designed to exploit this
vulnerability through Internet Explorer and then convince a user to
view the website.
My understanding is that you are suppose to use Internet Explorer: Enhanced Security Configuration and or disable ActiveX/Adobe Flash and use Trusted Sites to be able to use IE securely.
My problem is that I have to use IE because of a certain web application that uses activex.
My question, if I use another browser that uses the same Rendering Engine as IE will I still be safe? Avant Browser uses the same engine that displays the web pages and does work fine for my web application. But will it be Safe from that Security Bug?
There are even plugins and extensions for Chrome/Firefox that will open a web page using IE Web Browser Control within Chrome/Firefox. These browsers use builtin ActiveX, but Chrome & Firefox are not effected by this securiy issue. Will it be safe though?
Best Answer
If another browser uses the same rendering engine as IE then it is also vulnerable. In effect, there is not much difference between IE and its ActiveX object.
Your KB article links to MS14-021 which better explains the issue. It also says:
Use this procedure to add only the websites in which you must use ActiveX to the Trusted sites zone, so that ActiveX will be permitted for them, and them only.