Internet Explorer FUD startles the masses – Patch announced

by Steve Ragan - Dec 16 2008, 18:44

Update:

Microsoft has said it will issue an out-of-band patch for the IE vulnerability. It's set to be released Wednesday, December 17.

A week ago today, when The Tech Herald posted a quick item about the monthly Microsoft patch release, we mentioned that there was a brand-spanking-new exploit targeting Internet Explorer. Now, thanks to extensive press coverage, news of the exploit has gone into overdrive, causing misinformation and panic. For those in IT who need results and answers for the brass, here are the facts:

[Note: Page 2 of this article is centered on home users. It covers some basic workarounds for the exploit.]

Positive confirmation of the exploit exists. This is a real threat. With that said, the world will not end because of a single Zero-Day within Internet Explorer. The massive rush to suggest switching to a new browser, and the security experts who tell you that the end is near, likely comes from a relatively slow news month in the security world.

Again, in IT you have to explain the details to the bosses. They want to know: “Are we safe?”, “What does this mean?”, and “Can you fix it?”

Starting with the second question, “What does this mean?” the short and sweet answer is a simple one. There is a flaw in all versions of Internet Explorer that if exploited could allow remote access to the system.

The first question, “Are we safe?” is a solid yes if, as an IT leader, you have taken a layered and controlled approach to your network security, such as account access limits and using proper Internet Zone controls.

The exploit is hosted online, located on both malicious domains and compromised legitimate domains. The legit domains are suffering a compromise because of SQL Injection attacks; these attacks take advantage of poor development or simple code mistakes. Check your Web site and clean the code.

The list of known malicious domains is growing, thanks to researchers and security vendors sharing intelligence. Filtering traffic from all CN domains is a solid start.

Shadowserver has a large list of known hosts exploiting this vulnerability. Almost all of them are using URLs from China. Block all Chinese traffic, and allow only those that you must. This is a prime example of how whitelisting can help.

Other mitigations, according to Microsoft, include:

Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista, which limits the impact of the vulnerability.

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

There is a list of workarounds to be found here.

“Can you fix it?” is the only tricky question. You can apply the mitigations, but those are but Band-Aids until a proper patch is released by Microsoft.

Trend Micro and Sophos are two security vendors actively protecting clients against the exploit. Websense, likewise, is not only helping to protect its clients, but like Trend and Sophos, has helped in the research.

The Tech Herald reached out to other vendors, checking to see if they are presently protecting their customers from the risks that the exploit poses. Here is what we got back.

“We became aware of [the Internet Explorer vulnerability] a week or so ago quite frankly. We’ve been very well prepared for it; we’ve had protection in place since that time. We certainly have the ability to stop any of the Malware that it’s dropping. As well as dealing with the exploit itself and the HTML issues and XML issues,” Dave Marcus of McAfee said in a phone interview.

“Nine times out of ten when it’s a piece of Malware being dropped, it’s going to be a downloader or some type or Trojan. Those are certainly nothing new. Most of the time, they’re using a new exploit or a new vulnerability, but they’re trying to drop the same old Malware almost all of the time.”

“The instances we’ve actually seen out in the wild are the use of the downloader, the AZN.Trojan, which once again is proactively detected. We have no doubts that we’ll be able to tackle any of the Malware that it’s trying to drop on the machine,” Marcus added.

Symantec pointed to a statement on their blog, “Symantec currently has protection against the exploits served. If the system is exploited, it drops various malicious code onto the exploited system such as Downloader and Infostealer.Gamler. At present, Symantec has detection for this malicious code, but recommends that you keep your definitions up-to-date because the malicious code being served is changing on a regular basis.”

There are also the browser add-ons, SiteAdviser (McAfee) and Link Scanner (AVG) to consider. Both AVG and McAfee confirmed, because of the nature of the technology used in their respective software, customers using those products were and will be alerted to sites hosting the exploit. Yet another layer of protection.

Now for the home user. The advice of avoiding unknown or untrusted domains is applicable here. However, because known legit domains could be targeted, there is an added layer of risk.

To protect yourself, layer your security. The first thing to do is ensure that you are using both anti-Virus and anti-Spyware protections. Most vendors include both. If you are a user of Norton, Kaspersky, BitDefender, Norman, Panda, or McAfee package then you are likely covered, but they have to be updated.

For users on Vista, ensure that Protected Mode is turned on. Protected Mode in Internet Explorer 7 is enabled by default, as it is closely tied into security offered on Vista. However, double check this feature.

Go to Internet Options (with IE7, open select tools, then Internet Options), click the Security tab, select a Web content zone, and then change the "Enable Protected Mode" check box. To verify that Internet Explorer is running in Protected mode, look for the words "Protected Mode: On" next to the Web content zone displayed in Internet Explorer's status bar.

Windows XP users do not have the Protected Mode option. In that case, switching the Internet Zone and Local Intranet Zone to HIGH will help mitigate the problem. What this does is prompt for permission before ActiveX controls, what triggers the exploit, are allowed to run.

As mentioned, security should be done in layers, so for both Vista and XP users one other step is to either make Internet Explorer prompt or completely block Active Scripting.

From the Microsoft Advisory, here is how to do that:

"In Internet Explorer, click Internet Options on the Tools menu, click the Security tab and then click Internet, then click Custom Level. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK."

You will do the same thing for the Local Intranet Zone.

If, after making these changes, a known and trusted site fails to work properly, you can add that domain to the Internet Explorer Trusted Sites Zone.

There are other mitigations for both the business and home user in the Microsoft Advisory. However, the first two are what we covered here. To view them all, just look at the Workaround section under Suggested Actions. The Advisory is here.

The thing to remember here is that this vulnerability in Internet Explorer is just like any other vulnerability. It is dangerous and can cause serious problems. Yet, you do not need to panic and stop using Internet Explorer completely because of it.

Using the workarounds will help, but you will need to make sure that you apply patches from Microsoft every month.

Will Microsoft release a fix for this? And yes, odds are it will release a dedicated patch before the next round of security updates in early January.

Around the Web