Even before the dust from the Heartbleed bug could settle, another security bug has already rocked the Internet. Microsoft has acknowledged the vulnerability in Internet Explorer (IE) that could allow remote code execution (RCE) of PCs using the company’s browser. This vulnerability applies to IE versions 6 through 11. To secure PCs against this vulnerability, Microsoft has released a security fix, including a surprise, one-time patch for Windows XP users.
The zero-day attack in IE is created by malicious SWF files that create a vector object, and corrupt the allocated memory. Then, the SWF file injects malicious payload into the memory, which is executed when the browser attempts to access the vector object. This lets hackers take complete control of the PC. Hackers use phishing emails that direct users to websites that contain malicious code. You can read more on this here.
Microsoft fast-tracking a standalone fix days ahead of the regular Patch Tuesday Cycle is reason enough for us to believe in the severity of this issue. Microsoft provided XP security patch because the platform was EOLed just a few weeks back. An analysis of the Microsoft Security Bulletin reveals IE’s severe dependence on the monthly patch updates! Therefore, this one-off patch update should come as a wake up call for XP users, especially in the light of the platform’s altered (EOL) status, which disqualifies XP users from receiving the monthly security updates. And, the zero-day vulnerability is only proof that a security patch does not necessarily guarantee 100% security. Moving away from XP can be the only prudent thing to do at this moment.
With Chrome giving a tough fight to IE, and Mozilla’s on-time release of Firefox 29.0, it will be interesting to observe the impact of the zero-day vulnerability on the market share of these browsers.
What you can do to secure PCs: Systems with automatic updates turned on are protected. If automatic updates are turned off, ensure that the patch reaches your users. As a best practice, ensure that the automatic updates are turned on always and use good patch management software to keep your IT environment updated and secure.
One reason why I love chrome is the automatic background update of the browser. This ensures everyone is using the latest version of the browser (almost all browsers have this feature now but chrome started it I think). Bug fixes could be delivered easily and delivery of updates was ensured to every user who’s connected to the internet (which is obvious if he’s using a browser). IE on the other hand had a majority of its users still on IE 6 when IE 9 or 10 released. And IE was dominant at that time. This meant websites had to be designed keeping IE6 in mind. The entire internet could not grow because of this one browser. Good article.