Like This Blog 0

Added by Steve Fullmer June 12, 2014

News, background, and alternatives regarding the recent Internet Explorer “Day Zero” attack are spread across the Internet.  Confusion continues, so we decided to help set the record straight for our customer/readers. Step one, be careful what you read and interpret, including within this blog. Despite our care and research, we continue to find additional information from Microsoft and other sources. I double checked all of the information just before submitting this blog, and found a few changes made as recently as last night (Tuesday, June 11) following the most recent ‘patch Tuesday’ release from Microsoft. Your best source regarding Microsoft alternatives will always be Microsoft. Though you may need to review updates almost day to remain current.

Although a patch was issued on April 29^th, articles as recent as this past weekend are outdated or continue mis-information. For instance, one June 6^th article Microsoft warns of major Internet Explorer bug; no fix for Windows XP suggests that XP will not be supported. The truth of the matter is that Microsoft created a patch and update for XP despite the April 8^th end of support for XP.

The Timeline: Some days before April 26^th, security vendor FireEye identified a code bug in Internet Explorer that was being used to target defense and financial websites. FireEye reported the exploit to both Microsoft and the US Computer Security Readiness Team.  On April 26 – Homeland Security and US Cert issued an advisory suggesting discontinued use of Internet Explorer 9 through 11 due to a significant security bug. Microsoft simultaneously disclosed the weakness in IE versions 9-11. Microsoft subsequently announced that the issue existed within IE versions 6-11, and issued patches for all operating systems from XP through Windows 8.1 despite discontinuing support for XP in April. Patches were available as early as April 29^th.

In order to affect immediate delivery all patches were made available through Windows Update. Anyone who has enabled immediate download and installation of Windows Updates should be protected.

The many advisories suggested immediately discontinuing IE use entirely, shifting instead to Google Chrome, Mozilla Firefox, or Apple Safari. This is a viable alternative, and has or will likely be adopted by many end-users who are already shifting toward the use of these browser alternatives as a result of their mobile platforms. (And commensurate familiarity).  Based on mobile platform popularity on Android phones, a recent Adobe survey (ADI Report: Google Controls The Browser Worldwide) identifies that Google Chrome is now the most deployed browser on the planet.  Let’s set one record straight: the IE vulnerability might accelerate some migrations, but is not causing the displacement of IE.

A defense in depth approach suggests that something more than mere browser replacement is in order. (We visit the Defense in Depth module within our Security+ course.)

The original US Cert advisory (Microsoft Internet Explorer Use-After-Free Vulnerability Guidance) suggested few alternatives.

Advisories from dozens other vendors suggested options from segmenting the corporate network, to removing Adobe Flash player (and all other add-ons), and included hardware or software firewalls, intrusion detection systems, and far more robust solutions.

In fact, the vulnerability is more likely to be exploited due to the lack of a comprehensive security approach than merely the weakness in IE, albeit it serious enough to suggest a strong warning.

Microsoft was quick to release a full and comprehensive advisory (2963983).  Though some readers may have missed the link to the related Security Bulletin MS14-021 –Critical.

Security Bulletin MS14-021 ought to be your first stop if you want to patch the vulnerability, determine if the exploit has been used against you, or want to determine which of your systems might be vulnerable and at what level. Links to manually acquire the patch across almost every client and server operating system, and including IE 6 through IE 11 across each listed platform are provided. We note that Windows 8 is specifically excluded. In order to patch Windows 8, you must upgrade to Windows 8.1.

This small discovery suggests that you need to make sure not only that you patch IE, but that you have both the latest and most comprehensive updates for all of your Windows operating systems.

Although the patches were originally released on May 1^st, Microsoft has continued to work the problem.  Last week Zdnet provided an overview (Microsoft to release seven security updates next week) of seven security patches scheduled for release this week.  Windows Updates included additional corrections for IE 11 on Windows 8.1. Although the initial patch provided a solution for Windows XP, early reviewer suggested that the latest updates might only to address the most current operating systems.

NOTE: Go look again at the Security MS14-21 Security Bulletin and related patches and use that source as your primary security correction until you have a chance to more comprehensively review the newest update set.

I reviewed the current update set dated June 10, including Microsoft Security Bulletins MS14-30 through MS14-36. MS14-35 (Microsoft Security Bulletin MS14-036 – Critical) specifically addresses the IE vulnerability, and supports a different mixture of Windows platforms and IE versions.  We noted that Windows 8 is now included, though Windows XP is specifically excluded.  The updates cover both client and server operating systems. Server updates are typically reviewed and tested before deployment. In this case, I strongly recommend updating your 2003 through 2012 server platforms as soon as possible. Whether or not the other patches and update were discovered as a by product of the IE vulnerability discovery, the current patch set identifies exploits in popular platforms like Microsoft Word, Remote Desktop, TCP, Graphics Components, and XML services. You probably need to implement them all – most of the vulnerabilities enable remote or Internet based attacks.

Given the breadth of these patches and the proliferation of intrusive, malicious, Internet based attacks we even more strongly suggest the layered security approach associated with defense in depth. If you have the proper layering of security processes and tools, no single attack can significantly damage you or can be quickly isolated. There is no single alternative that will absolutely solve the potential IE vulnerability. Changing your browser might alter the vulnerability or direction of attack. This is merely a delaying tactic.

If a target exists, malicious hackers will find it. Although critical, the IE exploit is merely the latest, and will not be the last. As I type this blog, Evernote and Feedly have reported a Distributed Denial of Service attack (Evernote and Feedly Hit by Cyberattacks, Held for Ransom) from a hacker attempting to extort money for discontinuing the attack. This is just another example of the pervasive nature of current Internet assaults.

Patch IE. Harden your system (remove unnecessary services and applications). Patch other OS and application components.  Layer your security. Scan regularly. Review blogs and security bulletins regularly.

Perhaps it is time for a security course to learn some additional tools and approaches?

Hope to see you in the classroom or online!
Steven Fullmer
Interface Technical Training Staff Instructor