Security Advisory on the recent Internet Explorer Vulnerability

  • Article

I guess you might have seen it by now but if not, please make sure you read and understand the material available:

This night we released a Security Advisory on a Vulnerability in Internet Explorer Could Allow Remote Code Execution. The reason for that is that our investigations have shown that this vulnerability was one of the attack vectors used in the recent attacks against Google. So, please read the blog post of our Microsoft Security Response Center on the release of the advisory.

I just want to quote some of the key elements in there:

Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.

[…]

Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.

[…]

Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.

There are some additional mitigations shown in the advisory. However, a few things from my side:

  • Yes, it is a vulnerability and we do everything to fix it in time without breaking your systems. So, even though we all understand the urgency of an update, it has to be tested. There is a good chance that soon somebody will release an update for this vulnerability not coming from us. The past experience has shown that those updates usually are not tested thoroughly and that there is a good chance that it will break certain systems. Often this risk is higher than the risk of being attacked in my opinion.
  • Make sure that you are watching our internet sites in case we go out of band.
  • Use the protections built in to the Operating System and the browser. E.g. Data Execution Prevention as mentioned above. Yes, it breaks certain applications. On my system, where I switched DEP completely on, I had to exclude my Sony Reader software as it did not work – it was terminated and it took me a while to figure out why. But this is the only application which had to be excluded. Switch that on (use Group Policies) in Internet Explorer as well.

I realized that it might be necessary to give an introduction in how to switch DEP on and I therefore wrote a post on that as well today: Leveraging Data Execution Prevention (DEP)

Roger