Security

Microsoft releases patch for newest IE bug

There's a new zero-day Internet Explorer vulnerability making the rounds. Here's what you need to know to stay safe.

internet-explorer-logo.jpg
 Image: CNET

To say Internet Explorer has had a few issues in 2014 would be like saying Lindsay Lohan has been in the media a couple of times. Of course, there is no such thing as a perfectly secure application, operating system or user, and while Firefox and Chrome also have had their share of issues, according to CVEDetails.com. Internet Explorer has had 275 vulnerabilities, and 53 of these have occurred this year. To be fair, these have different severity and risk levels, and some only impact specific versions such as 11, but this is supposedly the best and most secure browser from Microsoft.

Like rapidly popping corn, it's now almost too difficult to keep track of the latest IE bugs. The latest one is a biggie, and so once more it's time for system administrators to stop what they're doing and get out the fire hoses.

How are you at risk?

The IE bug du jour is known as 2963983 (or "CVE-2014-1776" on CVEDetails.com): "Microsoft Internet ExplorerRemote Code Execution Vulnerability." It affects all Internet Explorer versions using Adobe Flash.

Remote code execution which basically means handing the keys of your system to someone else and letting them drive. Even if you don't have admin rights, you still have certain privileges which could be exploited. For instance, your data could be accessed or stolen.

This exploit can be triggered on a system which accesses a malicious site using Internet Explorer or any of the components thereof. Programs such as Outlook, Outlook Express, and Windows Mail open HTML email messages via IE controls, but the good news is that they do so in a "restricted sites" zone which helps protect the operating system. However, clicking a link to access a site via Internet Explorer could still trigger the bug.

Workstations running IE in Enhanced Protected Mode and servers running IE in Enhanced Security Configuration mode are not at risk. However, since this mode renders IE basically unusable due to a never-ending stream of nagging prompts and blocked access (Microsoft is about as subtle as a Macho Man Randy Savage when it comes to hammering users with prompts), it's conceivable it was turned off on many servers. I don't advise accessing the web from a server anyway since this seems unwise given the current state of the internet and the browsers which connect to it.

What can you do to mitigate the threat?

Due to the severity of this crisis, Microsoft is releasing an impromptu (also known as "out of bound") patch as of May 1 (Security Update for Internet Explorer 2965111). Although it originally seemed that Windows XP would be left out in the rain, Microsoft has designed the patch for XP as well as currently supported versions of Windows.

It's critical that you run Windows Update ASAP to get the fix or download, approve and release it to your users via your internal patch methodologies (such as Windows Server Updates Services, aka WSUS). You can also download the appropriate version(s) of the patch directly via the above link and install it manually or roll out via scripting strategies.

Looking up and down the road

When the issue first reared its head security experts advised users not to run Internet Explorer and to uninstall Adobe Flash. Microsoft also released an advisorysuggesting the use of their EnhancedMitigation Experience Toolkit 4.0 or 4.1 (EMET) which is designed to lock down software to make it more difficult to exploit vulnerabilities and to unregister a system dynamic link library (DLL) file targeted by this bug, using the following command:

%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Anyone who ran this command would need to undo the change before applying the patch; are provided in the Security Bulletin link.

Other tips included standard fare such as updating anti-malware signatures and avoiding suspicious links/sites.

My company had it easy; most users have multiple browsers installed and are intimately familiar with each of them. Quite few actually use Internet Explorer - when discussing this incident one user even asked me tongue-in-cheek: "What's IE?" So it was simple for us to advise the user community to switch to Firefox exclusively until a patch was released. For some public or loaner workstations we even renamed iexplore.exe via a simple batch script. This script connected to the computers and executed the commands:

takeown /f "c:\program files\internet explorer\iexplore.exe" /A

rename "C:\program files\internet explorer\iexplore.exe" iexplore.bad

The first command changes ownership of the Internet Explorer executable from "TrustedInstaller" to the local Administrators group - something I would prefer anyhow since I don't care for the way Microsoft obsessively hides or blocks things even from administrators - and the second renames the executable so it cannot run. It's also possible to achieve a similar effect by using application blacklisting in system management tools such as Symantec Endpoint Protection.

This situation will die down as companies roll out the patch, but there will likely be a similar eruption quite soon, whether next week or next month. At the risk of sounding extreme, I feel many companies should consider dumping Internet Explorer permanently or at least ensuring their employees have multiple browsers installed and know which sites work well (or not at all) on them to prepare for future occurrences of this nature. As I said previously, it's true that any browser might suffer a bug of this nature, but since the alternatives like Firefox and Chrome are more "standalone apps" and less woven throughout the operating system - Outlook doesn't use their code, for instance - I feel these options are safer. Personally I feel Microsoft's strategy with IE has meant more unimpressive bells and whistles (anyone remember "web slices" from IE 8? Anyone actually use them?) and less focus on the underpinnings of the application to render it a reliable choice, at least as a primary browser.

Now, according to netmarketshare.com, Internet Explorer occupies 57.64% of the browserspace (IE 6 is more widely used than IE 7!). I realize that this decision may not be easy for many organizations. Users may be familiar only with IE, or the company might have it tightly integrated into their environment through customized settings, group policies, corporate home pages and so forth. Some sites are may always work better on Internet Explorer such as Sharepoint and Outlook WebAccess. However, as 2014 unwinds and we unwind the fire hoses again and again, hopefully this concept serves as food for thought in helping guide future strategy: dependency on one application is undesirable, just as putting all your eggs in one basket.

About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

44 comments
DRDRJAY1
DRDRJAY1

Thanks, but Microsoft already patched most machines by automatic updates.

fiosdave
fiosdave

Checking CVEdetails.com  shows the following vulnerabilities for 2014:

IE11 54

Chrome 57

Firefox 51



Gisabun
Gisabun

Seems the author couldn't care less about IE - judging by his comments scattered throughout the story. Probably a simpler solution [temporary or not] on a domain is to disable IE. For those who despise IE can request a version of Windows without IE [thanks to those pansies at the EU commission].

EMET is updated to 4.1 update 1 a week ago.

Joseph Crowell
Joseph Crowell

netmarketshare.com has to be wrong. IE6 hasn't been capable of rendering most sites properly for at least 10 years. It's probably counting bots that identify themselves as IE 6.

SHCA
SHCA

The true 'waste of internet space" is all this mindless Microsoft bashing.  IE is only a target because it is still the biggest player by a long shot, and because it's from big, bad Microsoft.  You remember them, the ones who made personal and business computing and web browsing even possible in the first place.  You're all just lucky MS has a thick skin and doesn't assign black marks based on unreasoned public tantrums.  


Sure there are problems, but actually less than all the others on a percentage basis.  It's inextricably integrated to the OS because that's what's necessary to provide the kind of all-dancing capabilities this generation thinks are necessary.  You think integrating "Angry Birds" and any other fluffy App with every corporate line of business software and being available on all phones, tablets, game consoles, PCs and Macs is easy?  Who would give it to you if not Microsoft?


So once in a few years (I can't remember the last time I had to switch browsers for a security bug) you have to live with second best for a week, is that worth killing the baby to spite the bathwater?  Grow up, every one, or try getting a job by insisting you'll only use iPhone and Mac or Linux.


And no, I'm not paid or in any way compensated or influenced by Microsoft.  Check my record, I roast them when they deserve it.  I just don't trash them because I can.

philstilliard
philstilliard

There are too many patches.  I know they are essential, but Microsoft should roll them up into a smaller number.  Too often when I install Windows 7 with 140+ updates, it crashes on one of the updates.

bobmattfran
bobmattfran

Simple answer is dump any version of IE. No more nonsensical downloads which are only a stop gap, no more IE bloatware and a far cleane rmachine.

Pflash
Pflash

I don't think you guys realized that the latest problem was noticed by bad code in Flash files.  And that the vulnerability was the same whether using IE or Chrome.  It appears to be complicated vulnerability with a hit or miss result at gaining control of a machine.  http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

I service 500+ machines and Chrome, Firefox, and IE have been going through upheaval since about Oct/Nov 2013.  Things are back to normal the past 2-3 months, so I cautiously watch what my users are doing, and what browser they work with.

Needless to say, I was pretty fracked off when Chrome users found, in another recent problem, that it would maintain secure connections even when you told it to not remember passwords.  http://www.pcmag.com/article2/0,2817,2373853,00.asp Notice this article says, "if you are very concerned with privacy, Chrome isn't for you.."

Also: http://arstechnica.com/security/2014/04/google-chrome-protection-for-heartbleed-hacked-sites-called-completely-broken/

The first article will also clear up some browser performance arguments going on.  Depends on the test.  Was interesting to IE 11 beat out browsers on certain screen-draw tests. Second article shows that users should just flat be wary of any product they use, do your homework if you are going to use any software for a particular purpose.  I'm not addressing the average user, I'm addressing those who are concerned enough to use the best products, and willing to replace software on their machine... do your research.

I've basically found that people should stop screaming about browsers and realize that the world is changing, and for the better, but we get to live through the bumps as the industry goes through growing pains.  Since everyone is updating their code, seeming in real-time, it makes life miserable when they get it wrong.

A recent conference showed me that everyone is about "disruptive business behavior" in order to maintain dominate positions in the market.  And that means that every major software manufacturer is pushing the limits right now as we move from the XP era into HTML5 era. 

Frankly, I'm glad that XP is going away, over half of my infrastructure is XP, and I'm tired of hanging onto the past.  I'm now a firm believer in Windows 8.1 as it has ran everything I have thrown at it, things that Windows 7 and Windows 8.0 couldn't run. 

Well, there was the one user who insists on running "Print Shop 8.0", it couldn't do that....

ccs9623
ccs9623

My lord, you people are really on top of thing, eh?  Even the 'mainstream media' covered this LAST WEEK.


" Symantec Endpoint Protection." ??  Why not just run Windows unpatched?  You'd have the same results.


Sheesh, what a waste of Internet space.

BRS
BRS

Old news Even got this in the UK on the 2nd of May come on Girl keep up.

Mark Fudge
Mark Fudge

Use it or not one will need to patch it if you use micro$oft. IE is such an integral part of the OS one cannot ignore the update.

Gisabun
Gisabun

I see plenty of people with their anti-Microsoft and/or biased mindset.

If you search the Internet you will find Chrome browser with the most vulnerabilities of all web browsers in 2013 and 2011 [that year it had more vulnerabilities than ALL Microsoft products!]. In 2012, it was in second place after Safari. These were reported by GFI and Symantec.

Are all browsers perfect? Nope. But I think a few here have been brainwashed.

Leon Borin
Leon Borin

Best advice: use Linux or Openbsd and use browser preloaded with Linux based or Openbsd based OS or use Firefox. Google will spy on you if you use chrome or chromium based browser. If you are really rich use Mac and use Safari..

Danny Ha
Danny Ha

I gave up IE five years ago.

lilbubba
lilbubba

Glad you're unbiased. Look at your Chrome recommendation: update 34 fixes over 30 security vulnerabilities, 19 highly critical. http://www.zdnet.com/google-patches-31-chrome-flaws-issues-bug-bounty-rewards-7000028237/

Your combination of 53 this year (not impacting every version) is better in my opinion than over 30 in one release. And mind you... Chrome updates frequently so these aren't the only security vulnerabilities this year.

Yes the browser has flaws but it has come a long way since the IE6-IE8 days that everyone seems to compare it to.

Steven Berliner
Steven Berliner

Instructions for Safety: Step one: Download Chrome, Firefox or Opera. Step two: Install Chrome, Firefox or Opera as instructed by downloaded installer. Step three: Unpin IE from the Taskbar. Step four: Pin Chrome, Firefox or Opera to the taskbar in place of IE. Step five: You are now safe.

George Whitman Too
George Whitman Too

Microsoft: Buy a new computer with the latest OS. Consumer: Why? Microsoft: Cause it's more secure! Consumer: Bunch of BS. New OS, new unsolved security issues.

Shane Faulkinbury
Shane Faulkinbury

But using Tor I find a bunch of users trying to get into my machine.

Shane Faulkinbury
Shane Faulkinbury

I heard Microsoft fixed the issue. However I use Firefox witch downloads a bunch of malware according to SpyHunter 4.0. So now I mainly use the Tor browser which is on a proxy server, but I find a lot of users using Tor to try to get into my machine in the Command Prompt using netstat -an | find /I "established" .

Scott Matteson
Scott Matteson

Thanks, Robert - I am the author of the article and I came to the very same conclusion. At the very least companies should roll out alternate browsers so users can switch to these in a similar "don't use IT until patched" scenario.

Robert M Gagne
Robert M Gagne

All you need to know to stay safe: DO NOT use IE. Not only does it have more security issues than others, it is the dead slowest browser out there (by a huge margin). So many option. Why use the worst one?

Gisabun
Gisabun

@bobmattfran "IE bloatware" - Oh from people who install toolbars that they don't need. Such as the Google Toolbar for IE.

Gisabun
Gisabun

@ccs9623 Sometimes you have to wonder how some people got to where they are. Journalists [even on the web] are supposed to be impartial. Seems TR lacks them.

smmatteson
smmatteson

@ccs9623  Given the fact many users were unaware of the retirement of Windows XP despite Microsoft's repeated announcements well in advance, I don't think this article was past the "shelf life" of this specific issue.  Further, I included other details on how to address/mitigate other IE vulnerabilities (EMET for instance) and recommended companies consider retiring IE or at least making sure users have other browsers available to switch to in the event of further incidents (which are inevitable).


As for Symantec Endpoint Protection, it has served my organization quite well for years, providing us with workstation controls in addition to anti-malware protection.  Both my team and our security department are well satisfied with the results it has provided.  Your opinion notwithstanding, it represents a valid example of a control mechanism which can be used to prohibit executables from running, and of course alternative products are available which can accomplish the same, depending on the admin's preference.

NickNielsen
NickNielsen moderator

@ccs9623 Headline:  "Microsoft releases patch for newest IE bug"

Article synopsis:  Microsoft releases patch for the Flash vulnerability that was revealed last week.

Yes, the takeaway could have made it more clear that this was about last week's zero-day bug, but actually reading the post would have done the same.

JTONLY
JTONLY

@lilbubba Isn't this Old News, in that wasn't this reported to have been "fixed" last week?

Gisabun
Gisabun

And you think Linux is perfect? Ever hear of Heartbleed?

Jaytmoon
Jaytmoon

Or, install deepfreeze on your pc and stop worrying

Gisabun
Gisabun

Or maybe you are the magnet. It is the user who causes viruses [they still exist?], trojans and worms when they open Emails they shouldn't of or go to naughty web sites.

Gisabun
Gisabun

And exactly where did you get this "fact" from? If it is slower by 0.005 seconds will you notice?

smmatteson
smmatteson

@Gisabun @ccs9623  Anonymous comments have much less value than remarks from real-life people.  I recommend posting as yourself rather than an alias when making derogatory remarks about the background and qualifications of others; it'll add a bit more weight to your argument.


In terms of impartiality, I am a technologist as well as a journalist, so any partiality I may evince towards products comes from experience using, administering and troubleshooting them. My job is not to state "all browsers are equally good," but to make recommendations based on my experience as to which products are a better bet for users and organizations alike.  I'm not paid by vendors to promote one view versus another, so any opinions I share are the result of hands-on work in the field.

bobc4012
bobc4012

@Gisabun Heartbleed had nothing to do with Linux. Microsoft shills tend to confuse Open Source and Linux. A security audit would most likely have caught it (something that seems to be frequently missed in Microsoft products based on the proflic number of security patches it sends out).

NickNielsen
NickNielsen moderator

@Gisabun

Umm...how does questioning Microsoft's marketing equate to not knowing Linux has security issues of its own?

bobmattfran
bobmattfran

@Gisabun Please get a sense of proportion. IE has been a dead dog since it was dumped on the unsuspecting user base well before other browsers were in common use. Its a sieve designed by fools who don't/can't pay attention to detail. Why do you think  most government users have to use an Intranet which and are only allowed to use a standalone machine to access the internet. IE is a huge joke which has never been fit for purpose since day one.