Thursday 20 September 2012

IE 7/8/9 Zero-day flaw exploited, Patch to be released Friday


As you may have heard recently, that Microsoft has warned that there is now an active (read: people have reported problems on production systems) zero-day security exploit that affects all but the soon to be released versions of Internet Explorer. This means that versions of IE that are affected include versions 6, 7, 8 and 9. 

Arrhg, this is serious. Usually, I would just say download and use the latest version. Actually, I would more commonly say, "please move off of IE6". But, this time things are different. In fact, the advice I was given, was not to use IE at all for the next little while (does this mean weeks or months?) This kind of validates the B+1 mode of thinking that I have been advocating for a while. Each enterprise now needs to fully deploy, support and patch 2 browsers. So, my thinking here is that over the next little while (until the release and change control people are happy) we will be either using Chrome or Firefox.

Microsoft has offered some other advice including:

  • Deploy the Enhanced Mitigation Experience Toolkit (EMET).  This will help prevent exploitation by providing mitigations to help protect against this issue and should not affect usability of websites.
  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones. This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  • xConfigure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones. This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Downloading the Microsoft EMET is easy - deploying will not be. In fact, for most of the organisations that I work with (read large-scale enterprises) I would not roll-out any EMET components without some serious testing. If you are doubt, read this from the EMET download and support page;
"The security mitigation technologies that EMET uses carry an application compatibility risk with them. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem with a specific mitigation, you can individually enable and disable the specific mitigations. For more information, refer to the user's guide that is installed with EMET."
Luckily for us, a security update for IE (6,7,8,9) , which will automatically patch several hundred million PCs around the globe via Microsoft’s Windows Update service, is scheduled for release this Friday. I will post an update to this blog with the location of the security update patch.


References:
You can find the Microsoft EMET tool-kit here: http://www.microsoft.com/en-us/download/details.aspx?id=29851

Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution:

Microsoft EMET Support page: http://support.microsoft.com/kb/2458544


Microsoft Security Advisory (2757760)
Vulnerability in Internet Explorer Could Allow Remote Code Execution: http://technet.microsoft.com/en-us/security/advisory/2757760

You can read more about Zero-day attacks here: http://en.wikipedia.org/wiki/Zero-day_attack

No comments: