At Issue
On April 26th Microsoft issued a security advisory concerning all versions of Internet Explorer.
https://technet.microsoft.com/en-us/library/security/2963983
This vulnerability could allow an attacker to execute arbitrary code on a victim’s computer. The vulnerability effects all versions of Internet Explorer from version 6 through version 11. This is considered a “Zero Day” attack in that there is not currently a fix for the issue. At this time Microsoft has detected limited attacks in the wild and is researching the issue to come up with a fix.
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.” According to the Security Advisory released by Microsoft.
The Solution
At this time there is not so much a solution as there is a workaround and there are several of those.
First and foremost, is that you are the number one security tool at your disposal. Always know where you are browsing. This vulnerability, as with most attacks of this nature, requires the user to click on a link to a specifically crafted website. Avoid links to sites that you are not familiar with and do not click on links that are contained in unsolicited emails. Treat all links as potentially dangerous. You wouldn’t take candy from a stranger, do not take browsing hints from them either.
The second option is to increase the security settings within Internet Explorer to a setting of High. This will prevent Active X and script controls which helps to mitigate the risk of an attack. Use the Trusted Sites option within Internet Explorer to allow those features to be used on only those sites that you know to be trustworthy.
The third option is to use a browser other than Internet Explorer until a hotfix is released from Microsoft. This can be somewhat cumbersome unless you choose the option to use that browser as your default browser. Anything less than setting Firefox, Chrome, Opera or any other browser as your default browser still leaves you vulnerable to the attack, as links that are sent via email will open in Internet Explorer first by default.
The XP Impact
This new vulnerability also emphasizes the impact of Microsoft no longer supporting Windows XP. This will be the first major security flaw that will not be covered under Windows Updates. At this time there will not be an update released by Microsoft that will cover those versions that are installed on a Windows XP machine and indeed even in the security advisory they do not list Windows XP on the affected software list as it is no longer seen as a supported operating system.
What this means to the approximately 430 million users of Windows XP is that they will be left vulnerable to this form of attack and will have to take extra care when using those machines to browse the Internet. In this case, using a third party browser is a viable solution, however the consensus is that this is just the first volley in a series of unreleased attacks that are sure to be released. The theory is that there are several vulnerabilities that are being held back that will be released slowly over time allowing users to be lulled into a sense of complacency. As with this issue, these vulnerabilities have been there all along, but not implemented till now as the attackers were just biding their time till Microsoft shelved support for XP.
What this means to you
This should be the wake up call to all those still on Windows XP. Upgrade your operating system ASAP. For those systems that cannot be upgraded due to software that cannot be updated to run on the newer operating systems, consider blocking those systems from accessing the Internet altogether. Restrict the use of those systems to just their specialized task and nothing more.
If you have any questions or need assistance on this issue please contact us at support@interdev.com or our support number 678-672-1550.
by Neil Matchan – Chief Technology Officer