The Internet Explorer patch – Setting the record straight
The Internet Explorer patch – Setting the record straight
News, background, and alternatives regarding the recent Internet Explorer “Day Zero” attack are spread across the Internet. Confusion continues, so we decided to help set the record straight for our customer/readers. Step one, be careful what you read and interpret, including within this blog. Despite our care and research, we continue to find additional information from Microsoft and other sources. I double checked all of the information just before submitting this blog, and found a few changes made as recently as last night (Tuesday, June 11) following the most recent ‘patch Tuesday’ release from Microsoft. Your best source regarding Microsoft alternatives will always be Microsoft. Though you may need to review updates almost day to remain current.
Although a patch was issued on April 29th, articles as recent as this past weekend are outdated or continue mis-information. For instance, one June 6th article Microsoft warns of major Internet Explorer bug; no fix for Windows XP suggests that XP will not be supported. The truth of the matter is that Microsoft created a patch and update for XP despite the April 8th end of support for XP.
The Timeline: Some days before April 26th, security vendor FireEye identified a code bug in Internet Explorer that was being used to target defense and financial websites. FireEye reported the exploit to both Microsoft and the US Computer Security Readiness Team. On April 26 – Homeland Security and US Cert issued an advisory suggesting discontinued use of Internet Explorer 9 through 11 due to a significant security bug. Microsoft simultaneously disclosed the weakness in IE versions 9-11. Microsoft subsequently announced that the issue existed within IE versions 6-11, and issued patches for all operating systems from XP through Windows 8.1 despite discontinuing support for XP in April. Patches were available as early as April 29th.
In order to affect immediate delivery all patches were made available through Windows Update. Anyone who has enabled immediate download and installation of Windows Updates should be protected.
The many advisories suggested immediately discontinuing IE use entirely, shifting instead to Google Chrome, Mozilla Firefox, or Apple Safari. This is a viable alternative, and has or will likely be adopted by many end-users who are already shifting toward the use of these browser alternatives as a result of their mobile platforms. (And commensurate familiarity). Based on mobile platform popularity on Android phones, a recent Adobe survey (ADI Report: Google Controls The Browser Worldwide) identifies that Google Chrome is now the most deployed browser on the planet. Let’s set one record straight: the IE vulnerability might accelerate some migrations, but is not causing the displacement of IE.
A defense in depth approach suggests that something more than mere browser replacement is in order. (We visit the Defense in Depth module within our Security+ course.)
The original US Cert advisory (Microsoft Internet Explorer Use-After-Free Vulnerability Guidance) suggested few alternatives.
Advisories from dozens other vendors suggested options from segmenting the corporate network, to removing Adobe Flash player (and all other add-ons), and included hardware or software firewalls, intrusion detection systems, and far more robust solutions.
In fact, the vulnerability is more likely to be exploited due to the lack of a comprehensive security approach than merely the weakness in IE, albeit it serious enough to suggest a strong warning.
Security Bulletin MS14-021 ought to be your first stop if you want to patch the vulnerability, determine if the exploit has been used against you, or want to determine which of your systems might be vulnerable and at what level. Links to manually acquire the patch across almost every client and server operating system, and including IE 6 through IE 11 across each listed platform are provided. We note that Windows 8 is specifically excluded. In order to patch Windows 8, you must upgrade to Windows 8.1.
This small discovery suggests that you need to make sure not only that you patch IE, but that you have both the latest and most comprehensive updates for all of your Windows operating systems.
Although the patches were originally released on May 1st, Microsoft has continued to work the problem. Last week Zdnet provided an overview (Microsoft to release seven security updates next week) of seven security patches scheduled for release this week. Windows Updates included additional corrections for IE 11 on Windows 8.1. Although the initial patch provided a solution for Windows XP, early reviewer suggested that the latest updates might only to address the most current operating systems.
NOTE: Go look again at the Security MS14-21 Security Bulletin and related patches and use that source as your primary security correction until you have a chance to more comprehensively review the newest update set.
I reviewed the current update set dated June 10, including Microsoft Security Bulletins MS14-30 through MS14-36. MS14-35 (Microsoft Security Bulletin MS14-036 – Critical) specifically addresses the IE vulnerability, and supports a different mixture of Windows platforms and IE versions. We noted that Windows 8 is now included, though Windows XP is specifically excluded. The updates cover both client and server operating systems. Server updates are typically reviewed and tested before deployment. In this case, I strongly recommend updating your 2003 through 2012 server platforms as soon as possible. Whether or not the other patches and update were discovered as a by product of the IE vulnerability discovery, the current patch set identifies exploits in popular platforms like Microsoft Word, Remote Desktop, TCP, Graphics Components, and XML services. You probably need to implement them all – most of the vulnerabilities enable remote or Internet based attacks.
Given the breadth of these patches and the proliferation of intrusive, malicious, Internet based attacks we even more strongly suggest the layered security approach associated with defense in depth. If you have the proper layering of security processes and tools, no single attack can significantly damage you or can be quickly isolated. There is no single alternative that will absolutely solve the potential IE vulnerability. Changing your browser might alter the vulnerability or direction of attack. This is merely a delaying tactic.
If a target exists, malicious hackers will find it. Although critical, the IE exploit is merely the latest, and will not be the last. As I type this blog, Evernote and Feedly have reported a Distributed Denial of Service attack (Evernote and Feedly Hit by Cyberattacks, Held for Ransom) from a hacker attempting to extort money for discontinuing the attack. This is just another example of the pervasive nature of current Internet assaults.
Patch IE. Harden your system (remove unnecessary services and applications). Patch other OS and application components. Layer your security. Scan regularly. Review blogs and security bulletins regularly.
Perhaps it is time for a security course to learn some additional tools and approaches?
You May Also Like
In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
In this recorded Windows 10 webinar from December 1,2015, Windows Instructor Steve Fullmer presents the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client, Windows core concepts, exploring Process Explorer as well as some of the features that are not yet ready for prime time but will … Continue reading Windows 10 Features and Navigation – December 1, 2015
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015