Microsoft today released an Out-Of-Band (OOB) security update, MS10-002 (http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx), that addresses, among others, the IE vulnerability that was responsible for last week’s Google hack.
This OOB security update addresses 8 vulnerabilities in total, and is considered a critical security update for Internet Explorer. Microsoft recommends that IE users take immediate actions as a result of this security update. More specifically, if you are running IE v6, immediately install the security update. Better yet, immediately upgrade to IE v8, the latest version.
Additional background on the vulnerability and the attack: This vulnerability was disclosed to Microsoft via the proper channels in December 2009. At that time, there was no known exploits in the wild against this vulnerability. Microsoft told me that they followed the normal procedure and had scheduled the said patch to be released in their regular February 2010 security update. When the attack against Google and others surfaced last week, Microsoft accelerated the patch process and decided to issue this OOB update ahead of their February scheduled release.
All versions of Windows are affected by this particular vulnerability. However, IE v6 is particularly vulnerable. IE v6 is believed to be involved in the Google attack – some Google employees were running IE v6, which led to the attack. IE v7 and v8, though also vulnerable, have other protection mechanisms, such as Data Execution Prevention and Address Space Layout Randomization, which would have made the attack less likely to succeed.
For the techies out there, this is a vulnerability that can lead to remote code execution. Here is how the attack worked:
- In this attack, a Google user is enticed, via email social engineering, to a malicious website that has exploit code targeting this browser vulnerability.
- The website exploits the vulnerability and injects prepared attack code and executes it on the user’s desktop.
- This code can then do anything the user is capable of doing including logging onto corporate servers.
- The rest is history as we know it.
For a more specific analysis of the vulnerability, refer to Jonathan Ness’s SRD blog at Microsoft: http://blogs.technet.com/srd/.
Google tells me that the employee whose desktop was compromised was running IE v6 (as opposed to Chrome, haha) for testing purposes. Really?! Does the test involve the user use the outdated browser to surf the Internet?
That said, the more pertinent topic, of course, is how we could avoid such attacks in the future. A few tips to start with,
- Always run up-to-date software and patches, browser and otherwise
- Educate users about social engineering threats – this continues to be a thorn in IT’s thigh.
In the meantime, share your thoughts here or on Twitter. Follow me on Twitter@Chenxiwang