Even before everyone was able to fully digest the impact of the massive Heartbleed virus, another large-scale vulnerability was announced. On April 26, Microsoft announced a major vulnerability in their Internet Explorer web browser affecting versions 6-11. This vulnerability could allow the remote execution of code due to the way IE accesses an object in memory that has been deleted or not properly allocated.
This bug would generally be considered something to be concerned about. But a few factors make it even worse. While Heartbleed affected 17 percent of the web servers on the Internet, Internet Explorer is used by about 25 percent of users browsing the web. That means a quarter of users are affected by this vulnerability and need to act in order to protect themselves and their data.
The other major factor is that the bug affects many versions of Windows including Windows XP. On April 8, Microsoft stopped supporting XP which means they will not be providing patches for Windows XP or applications running on XP. This is the first major vulnerability discovered and announced affecting XP and the many users still running that OS. Microsoft will not be patching the vulnerability for these users, thereby leaving them exposed.
So what is someone to do if they are using an affected version of Internet Explorer? Here are the suggestions from Microsoft:
- Deploy the Enhanced Mitigation Experience Toolkit 4.1
- Set security settings to “High” to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting
- Modify the Access Control List on VGX.DLL to be more restrictive
- Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode
There is also a list of other workarounds on the Microsoft website.
Finally, Microsoft encourages users to check for updates regularly in order to patch this vulnerability (for supported OSs and versions of Internet Explorer – at least).
If everything above seems complicated, there are other ways to protect yourself.
Move to a browser other than Internet Explorer. The US Department of Homeland Security recommends running a different web browser at the very least, until this bug is fully patched and remedied. I echo this advice and would suggest looking for a browser that is still supported by the manufacturer and perhaps has a better history of patching vulnerabilities.
Patch this vulnerability using a host intrusion prevention system (HIPS). While the world waits for Microsoft to patch this vulnerability on support systems, you can be proactive and run a host IPS solution to protect yourself. Solutions like Trend Micro’s Deep Security have the ability to protect your systems from being exploited – keeping users and data safe.
Add more layers to your defense in depth. The massive IE hack was discovered by the cyvbersecurity software maker FireEye. Solutions like FireEye are better able to detect, track and mitigate advanced malware in an environment. Adding these types of solutions to your multilayered security infrastructure will help to better protect your network before, during and after an attack.
Some General Advice:
- Make sure all your systems are supported by the manufacturer so they can receive updates and patches.
- Patch systems in a timely manner anytime any vulnerability is announced (major or minor).
- Develop a documented patching procedure including testing and deployment.
- Be proactive by running host intrusion prevention on systems to fill the hole between vulnerability discovery and patching.
- Regularly scan your network and any applications for vulnerabilities.