To say Internet Explorer has had a few issues in 2014 would be like saying Lindsay Lohan has been in the media a couple of times. Of course, there is no such thing as a perfectly secure application, operating system or user, and while Firefox and Chrome also have had their share of issues, according to CVEDetails.com. Internet Explorer has had 275 vulnerabilities, and 53 of these have occurred this year. To be fair, these have different severity and risk levels, and some only impact specific versions such as 11, but this is supposedly the best and most secure browser from Microsoft.
Like rapidly popping corn, it's now almost too difficult to keep track of the latest IE bugs. The latest one is a biggie, and so once more it's time for system administrators to stop what they're doing and get out the fire hoses.
How are you at risk?
The IE bug du jour is known as 2963983 (or "CVE-2014-1776" on CVEDetails.com): "Microsoft Internet ExplorerRemote Code Execution Vulnerability." It affects all Internet Explorer versions using Adobe Flash.
Remote code execution which basically means handing the keys of your system to someone else and letting them drive. Even if you don't have admin rights, you still have certain privileges which could be exploited. For instance, your data could be accessed or stolen.
This exploit can be triggered on a system which accesses a malicious site using Internet Explorer or any of the components thereof. Programs such as Outlook, Outlook Express, and Windows Mail open HTML email messages via IE controls, but the good news is that they do so in a "restricted sites" zone which helps protect the operating system. However, clicking a link to access a site via Internet Explorer could still trigger the bug.
Workstations running IE in Enhanced Protected Mode and servers running IE in Enhanced Security Configuration mode are not at risk. However, since this mode renders IE basically unusable due to a never-ending stream of nagging prompts and blocked access (Microsoft is about as subtle as a Macho Man Randy Savage when it comes to hammering users with prompts), it's conceivable it was turned off on many servers. I don't advise accessing the web from a server anyway since this seems unwise given the current state of the internet and the browsers which connect to it.
What can you do to mitigate the threat?
Due to the severity of this crisis, Microsoft is releasing an impromptu (also known as "out of bound") patch as of May 1 (Security Update for Internet Explorer 2965111). Although it originally seemed that Windows XP would be left out in the rain, Microsoft has designed the patch for XP as well as currently supported versions of Windows.
It's critical that you run Windows Update ASAP to get the fix or download, approve and release it to your users via your internal patch methodologies (such as Windows Server Updates Services, aka WSUS). You can also download the appropriate version(s) of the patch directly via the above link and install it manually or roll out via scripting strategies.
Looking up and down the road
When the issue first reared its head security experts advised users not to run Internet Explorer and to uninstall Adobe Flash. Microsoft also released an advisorysuggesting the use of their EnhancedMitigation Experience Toolkit 4.0 or 4.1 (EMET) which is designed to lock down software to make it more difficult to exploit vulnerabilities and to unregister a system dynamic link library (DLL) file targeted by this bug, using the following command:
%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
Anyone who ran this command would need to undo the change before applying the patch; are provided in the Security Bulletin link.
Other tips included standard fare such as updating anti-malware signatures and avoiding suspicious links/sites.
My company had it easy; most users have multiple browsers installed and are intimately familiar with each of them. Quite few actually use Internet Explorer - when discussing this incident one user even asked me tongue-in-cheek: "What's IE?" So it was simple for us to advise the user community to switch to Firefox exclusively until a patch was released. For some public or loaner workstations we even renamed iexplore.exe via a simple batch script. This script connected to the computers and executed the commands:
takeown /f "c:\program files\internet explorer\iexplore.exe" /A
rename "C:\program files\internet explorer\iexplore.exe" iexplore.bad
The first command changes ownership of the Internet Explorer executable from "TrustedInstaller" to the local Administrators group - something I would prefer anyhow since I don't care for the way Microsoft obsessively hides or blocks things even from administrators - and the second renames the executable so it cannot run. It's also possible to achieve a similar effect by using application blacklisting in system management tools such as Symantec Endpoint Protection.
This situation will die down as companies roll out the patch, but there will likely be a similar eruption quite soon, whether next week or next month. At the risk of sounding extreme, I feel many companies should consider dumping Internet Explorer permanently or at least ensuring their employees have multiple browsers installed and know which sites work well (or not at all) on them to prepare for future occurrences of this nature. As I said previously, it's true that any browser might suffer a bug of this nature, but since the alternatives like Firefox and Chrome are more "standalone apps" and less woven throughout the operating system - Outlook doesn't use their code, for instance - I feel these options are safer. Personally I feel Microsoft's strategy with IE has meant more unimpressive bells and whistles (anyone remember "web slices" from IE 8? Anyone actually use them?) and less focus on the underpinnings of the application to render it a reliable choice, at least as a primary browser.
Now, according to netmarketshare.com, Internet Explorer occupies 57.64% of the browserspace (IE 6 is more widely used than IE 7!). I realize that this decision may not be easy for many organizations. Users may be familiar only with IE, or the company might have it tightly integrated into their environment through customized settings, group policies, corporate home pages and so forth. Some sites are may always work better on Internet Explorer such as Sharepoint and Outlook WebAccess. However, as 2014 unwinds and we unwind the fire hoses again and again, hopefully this concept serves as food for thought in helping guide future strategy: dependency on one application is undesirable, just as putting all your eggs in one basket.
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.