Microsoft Internet Explorer Security Warning from the U.S. Department of Homeland Security

20140428mo-computer-security-news-675x300

First Response – Alternative Browsers

As you’ll read in the article below, the U.S. Department of Homeland security is recommending that people use alternative browsers until Microsoft provides a security update for Internet Explorer. Here are some alternative browsers:

Note: In our Windows Setup checklist, we recommend the installation of several browsers when setting up a new computer — for security reasons and also because some websites are not properly viewed with some browsers. If a browser is ‘hijacked’ by malware, it is sometimes possible to switch to another browser and begin the process of cleaning up the computer.

Further Reading

The USA Today news coverage of this story is below. Further reading can be found in the following articles.

USA Today News Story

Below is a new story from USA Today about this security vulnerability. (Source: “Homeland Security: Don’t use IE due to bug,” USA Today, 28 April 2014)

* * *

SAN FRANCISCO – The U.S. Department of Homeland security is advising Americans not to use the Internet Explorer Web browser until a fix is found for a serious security flaw that came to light over the weekend.

The bug was announced on Saturday by FireEye Research Labs, an Internet security software company based in Milpitas, Calif.

“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s United States Computer Emergency Readiness Team said in a post Monday morning.

It recommended that users and administrators “consider employing an alternative Web browser until an official update is available.”

The security flaw allows malicious hackers to get around security protections in the Windows operating system. They then can be infected when visiting a compromised website.

Because the hack uses a corrupted Adobe Flash file to attack the victim’s computer, users can avoid it by turning off Adobe Flash.

“The attack will not work without Adobe Flash,” FireEye said. “Disabling the Flash plugin within IE will prevent the exploit from functioning.”

While the bug affects all versions of Internet Explorer six through 10 it is currently targeting IE9 and IE10, FireEye stated.

The attacks do not appear to be widespread at this time. Microsoft said it was “aware of limited, targeted attacks that attempt to exploit” the vulnerability.

These are called “watering hole attacks,” said Satnam Narang, a threat researcher with computer security company Symantec in Mountain View, Calif..

Rather than directly reach out to a victim, the hackers inject their code into a “normal, everyday website” that the victim visits, he said. Code hidden on the site then infects their computers.

“It’s called a watering hole attack because if you’re a lion, you go to the watering hole because you know that’s where the animals go to drink.”

FireEye said the hackers exploiting the bug are calling their campaign “Operation Clandestine Fox.”

Microsoft confirmed Saturday that it is working to fix the code that allows Internet Explorer versions six through 11 to be exploited by the vulnerability. As of Monday morning, no fix had been posted.

Microsoft typically releases security patches on the first Tuesday of each month, what’s known as Patch Tuesday. The next oneis Tuesday, May 6. Whether the company will release a patch for this vulnerability before that isn’t known.

About 55% of PC computers run one of those versions of Internet Explorer, according to the technology research firm NetMarketShare. About 25% run either IE9 or IE10.

Computer users who are running the Windows XP operating system are out of luck. Microsoft discontinued support of the system on April 8.

Symantec is offering XP users tools to protect themselves, which it has made available on its blog.

Microsoft Security Advisory 2963983: Vulnerability in Internet Explorer Could Allow Remote Code Execution

20140428mo-computer-security-news-675x300

(Source: Microsoft Security Advisory 2963983)

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.