You may or may not already know that an unpatched vulnerability for Internet Explorer was announced last week. On Friday, exploit code was made public so it’s likely that we’ll start seeing exploitation on campus soon. Here are the details:
=== VULNERABILITY INFO ===
The vulnerability can be exploited when a client visits a malicious webpage (clicking a link in an email, visiting a website that contains a malicious advertisement, or visiting a website that has been compromised itself and is unknowingly hosting malicious content). Exploit code has been publicly released, and although we have not yet received reports of widespread exploitation I would expect that’s likely to change soon.
Current exploits function only against IE6. Although the vulnerability is present in IE7 and IE8 as well, the current public exploit code fails on those platforms.
The vulnerability can be exploited when a client visits a malicious webpage (clicking a link in an email, visiting a website that contains a malicious advertisement, or visiting a website that has been compromised itself and is unknowingly hosting malicious content). Exploit code has been publicly released, and although we have not yet received reports of widespread exploitation I would expect that’s likely to change soon.
Current exploits function only against IE6. Although the vulnerability is present in IE7 and IE8 as well, the current public exploit code fails on those platforms.
=== Workarounds ===
Microsoft is likely to release a patch soon, outside of their normal patch-Tuesday cycle. Keep an eye out for it.
If you have users who are still using IE6, now would be a great time to get them upgraded. Current exploit code doesn’t work against IE7 or IE8, and although the vulnerability is present in those browsers it’s likely that MS will have a patch out before attackers can adapt the exploit code to work on them.
As an alternative to upgrading, you could also set the “security level” for the “Internet Zone” to high for IE6 in Tools — Internet Options — Security Tab — Internet Zone — set security-level slider to “high”. This disables JavaScript among other things which may degrade performance for some sites. Sites that are needed for business purposes and rely on the disabled features should be added to the “trusted sites” list in the same preference tab listed above, for example add *.nyu.edu there.
A more narrowly scoped workaround is to manually disable JavaScript for IE6 in Tools — Internet Options — Security Tab — Internet Zone — Custom Level — Scroll down to “Active Scripting” and disable. Sites that are needed for business purposes and rely on JavaScript should be added to the “trusted sites” list in the same preference tab listed above, for example add *.nyu.edu there.
Microsoft is likely to release a patch soon, outside of their normal patch-Tuesday cycle. Keep an eye out for it.
If you have users who are still using IE6, now would be a great time to get them upgraded. Current exploit code doesn’t work against IE7 or IE8, and although the vulnerability is present in those browsers it’s likely that MS will have a patch out before attackers can adapt the exploit code to work on them.
As an alternative to upgrading, you could also set the “security level” for the “Internet Zone” to high for IE6 in Tools — Internet Options — Security Tab — Internet Zone — set security-level slider to “high”. This disables JavaScript among other things which may degrade performance for some sites. Sites that are needed for business purposes and rely on the disabled features should be added to the “trusted sites” list in the same preference tab listed above, for example add *.nyu.edu there.
A more narrowly scoped workaround is to manually disable JavaScript for IE6 in Tools — Internet Options — Security Tab — Internet Zone — Custom Level — Scroll down to “Active Scripting” and disable. Sites that are needed for business purposes and rely on JavaScript should be added to the “trusted sites” list in the same preference tab listed above, for example add *.nyu.edu there.
=== LINKS ===
MS Advisory with details on the vulnerability:
http://www.microsoft.com/technet/security/advisory/979352.mspx
MS security blog posts with more technical details:
http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx
http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
MS Advisory with details on the vulnerability:
http://www.microsoft.com/technet/security/advisory/979352.mspx
MS security blog posts with more technical details:
http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx
http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx