A vulnerability discovered in Internet Explorer over the weekend is serious—serious enough that the Department of Homeland Security is advising users to stop using it until it’s been patched.
On Monday, the United States Computer Emergency Readiness Team (US-CERT), part of the U.S. Department of Homeland Security, weighed in.
“US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.” Enhanced Mitigation Experience Toolkit (EMET) is a Microsoft utility that helps prevent vulnerabilities in software from being successfully exploited, and can be downloaded here. It supports every Microsoft operating system from Windows 7 on up.
“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer,” it said in a bulletin. “This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.
The new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user. That means a successful attacker who infects a PC running as administrator would have a wide variety of attack open to them such as installing more malware on the system, creating new user accounts, and changing or deleting data stored on the target PC.
Windows XP is especially vulnerable, given that Microsoft discontinued support for the OS earlier this month.
Microsoft Security Advisory #2963983
As you may have recently heard, Microsoft Security Advisory #2963983 was recently published to announce Microsoft’s acknowledgment of a known exploit vulnerability in Internet Explorer web browsers.
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer versions 6, 7, 8, 9, 10, and 11. Microsoft is actively working to completely address this concern.
Microsoft has yet to decide whether it will issue an emergency patch in the coming days or wait for patch Tuesday on May 13 to repair supported versions of IE.
To mitigate this issue, all Microsoft Internet Explorer browser users should follow the suggested actions stated in the Microsoft Security Advisory article. These actions need to be taken until such a time that Microsoft releases a patch to this vulnerability in its Internet Explorer web browser.
What should be your next step?
Tier 1 IP’s general advice is to cease using Internet Explorer until a patch is available. Recommended options are Google Chrome or Firefox. If you feel Internet Explorer is imperative to your workflow and you cannot use an alternative browser, please reach out directly to Tier 1 IP Service Coordinator (817.886.2100) to understand how to mitigate risk.
- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
Tier 1 IP will send out additional communication once Microsoft has identified a fix.