Always strive to learn something useful. --Sophocles

Yesterday Microsoft announced a zero-day exploit in the wild that was being actively used against people running IE versions 6 through 11. There is no true fix, but there are a couple of things that can be done to help. First, stop using IE is the recommendation from the US and UK governments. There's plenty of other good browsers: Firefox, Chrome, Epic, Opera, etc. Second, update your Flash player. If you must use IE, and you're running versions 10 or 11, there are a couple of things that you can do to protect yourself.

Krebs warning on the IE exploit: http://krebsonsecurity.com/2014/04/microsoft-warns-of-attacks-on-ie-zero-day/

Krebs writeup on updating Flash: http://krebsonsecurity.com/2014/04/adobe-update-nixes-flash-player-zero-day/

"The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name."

I would find it so amusing, and not in the least bit surprising, to find out that the free e-mail service was Hotmail or Gmail.

Security is a bitch. Someone once said that the price of freedom is eternal vigilance, well, so is the price of security.

http://tech.slashdot.org/story/10/01/23/1429207/Widespread-Attacks-Exploit-Newly-Patched-IE-Bug?art_pos=3

"Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers to attack Google. After sample code was posted on a website, calls began for Microsoft to release an out-of-cycle patch. Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch. Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well."

http://yro.slashdot.org/story/10/01/18/2030224/France-Tells-Its-Citizens-To-Abandon-IE-Others-Disagree?art_pos=19

In all fairness, I would imagine that MS is testing a patch. The problem is that regression testing takes a lot of work, especially when you need to test it in conjunction with other patches to make sure that fixing this problem doesn't create THAT problem.


And in even more fairness, a PC World columnist says that abandoning IE is not a cure-all for security problems. And he's right. The attackers used multiple tools to compromise Google and others, ONE of these tools exploited a hitherto-unknown hole in IE. Adobe just fixed a zero-day flaw in Acrobat that could have been used in this attack, we don't yet know.

There are a couple of interesting quotes in the latter article:

I asked Kurtz about the irony that Google, makers of the Chrome Web browser, could be compromised by a flaw in Internet Explorer. Shouldn't Google be using Chrome?

Kurtz replied "It is easy to come to that conclusion, but IE is ubiquitous and is used in almost every corporation. Keep in mind, there are many enterprise applications that only work with IE--so it is difficult to just mandate an alternate browser even if you are the creator of that browser."

I'm a little surprised. As far as I know, Google uses an OS that they built for their servers. Their developers use in-house tools for their coding, so why would they be running Windows? Most likely explanation is that the attack came in through the corporate-side. Chances are their marketing and accounting departments are using Windows.

While research indicates that the Internet Explorer zero-day used in the attacks could be used on any version of Internet Explorer, even on Windows 7, the initial investigation suggests that the systems targeted were actually using Internet Explorer 6 on Windows XP. Simply using a current operating system and a current Web browser would have afforded significantly more protection.

Now this is just sad. I realize that there is huge inertia in IT in large organizations to upgrade operating systems, but this is just sad. There's no reason that Google couldn't have at least been running Vista, which, for all its multitudinous faults, is still more secure than XP. For that matter, they could have been running IE 7 or 8 on top of XP: I know for a fact that it's possible as I run IE 8 on two XP machines.

Interesting stuff.

http://www.pcworld.com/businesscenter/article/187119/dont_kill_the_messenger_blaming_ie_for_attacks_is_dangerous.html


Corporate IT inertia is a huge thing, and sometimes architectures just don't do what you want them to.