Brittenford Systems cares about its users, and would like to share this notice with all concerned users of Microsoft Internet Explorer and those still using Windows XP.
(ZDnet) Late Saturday Microsoft revealed a vulnerability in all versions of Internet Explorer that is being used in “limited, targeted attacks.” They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.
All versions of Internet Explorer from 6 through 11 are listed as vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on which IE is run in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.
The vulnerability was reported to Microsoft by research firm FireEye. FireEye says that, while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a “use after free” attack in which memory objects in the browser are manipulated after being released. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
The specific exploit, according to FireEye, uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui. Neither Microsoft nor FireEye says it, but this implies that systems without Flash installed are not vulnerable to the specific exploit, although they are to the underlying vulnerability in Internet Explorer. Internet Explorer 10 and 11 come with Flash embedded, so they are vulnerable by default.
What is a Zero-Day Vulnerability?
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Minimizing Risk from Zero-Day Attacks
Essentially, the vulnerability is allowed when a user clicks on certain links within Internet Explorer. Microsoft is working on a patch that we expect to receive in the near future. In the interim:
- Please have users use another browser – Firefox, Chrome, or Safari.
- If users must use Internet Explorer, please ensure they are aware and that they should not click on links until the vulnerability is remediated and also download Microsoft’s Enhanced Mitigation Experience Toolkit.
- If a Remote Desktop Services (RDS) is available, it is possible to restrict use of IE to this particular method to continue to give secure access to core business applications that may require IE to function fully.
We understand that there are some requirements to use IE due to older system requirements and it is vital for business continuity, and there are options to do so while staying safe and protected from this specific exploit. Please contact us if you are in this situation for mitigation options.
If you have not yet updated off of Microsoft XP, this is the first of what may be many threats that will not be remediated by Microsoft. Please ensure users on XP machines DO NOT use Internet Explorer unless the business application is dependent on it. Please contact your Customer Advocate today so that XP can be retire expeditiously.