Microsoft released an emergency patch today that repairs a zero-day vulnerability in Internet Explorer and nine other IE fixes originally scheduled for April 13's Patch Tuesday update. Exploit code for the zero-day, announced three weeks ago, is in the wild, and companies are urged to apply the patch immediately.
According to Microsoft Security Bulletin MS10-18, the zero-day vulnerability under attack could allow an attacker to execute code remotely due to an invalid pointer reference being used within Internet Explorer. Users would have to be lured to a malicious webpage via an email or IM phishing scam in order to download the exploit. The attacker would then have the same access rights as the user.
The zero-day vulnerability only affects Internet Explorer 6 and 7, said Jerry Bryant, group manager, response communications, today on the Microsoft Response Center Blog, and he urged customers to upgrade to the latest browser version to address it and mitigate future attacks against any of the other flaws patched today.
Wolfgang Kandek, CTO of Qualys Inc., said the patch addressing the IE 6 and IE 7 vulnerability should be applied immediately. "You can't patch them fast enough," he said. Microsoft said it has detected an increase in attacks against that specific vulnerability, which prompted it to release the patch ahead of the usual Patch Tuesday launch on April 13.
The other fixes rolled into today's bulletin address remote code execution and information disclosure flaws. Most are critical, including three Internet Explorer 8 vulnerabilities. Kandek doesn't see a good reason for enterprises to wait to deploy those patches either. Good security researchers, he said, will be able to reverse engineer an attack for a given fix within a week.
"Even users of IE 8 should apply that patch, not immediately, but as quickly as possible," he said.
The Internet Explorer vulnerability and even the recent browser hacking competition at CanSecWest, Kandek said, demonstrate that browsers are highly exposed and should be hardened and patched as quickly as possible. "You can see, in the browser, there are plenty of ways to trick a user to download a malicious attachment and take over a machine through that mechanism."
The bulletin does not address the vulnerability used in CanSecWest's "pwn2own" browser hacking contest. The flaw is still being investigated, Microsoft said.
Amrit Williams, CTO of security management company BigFix, said companies vulnerable to this condition should apply the zero-day patch or implement mitigating controls immediately. "The reason is that most organizations are not properly provisioned to respond to an outbreak once it occurs," referring to their ability to monitor and identify a compromise, quarantine systems, and return systems to homeostasis. "[It] will limit the impact or potential for compromise if the attack vector is reduced or eliminated," he added via email.
Williams also believes that the only way to end the "scan and patch" management routine is to implement controls that can isolate and segment aspects of a computing environment from each other, applications like the browser, for example, being separated from the operating system.
"Until we can move to a highly segmented environment, organizations will need to extend their standard patch management processes to encompass applications (both Microsoft and non-Microsoft) and ensure the organization can quickly respond to out of band patches," he said.
Jason Miller, data and security team manager at Minneapolis-based Shavlik Technologies, however, urges companies to stay in their patch testing cycles if they can, citing that an exploit of the bulletin's zero-day vulnerability requires user interaction, unlike the critical vulnerability related to the Conficker worm -- one that Microsoft patched with its previous out-of-band update. "You could have a home-grown application inside your network, and [today's patch] could still adversely affect it and break it." Miller, though, believes the vulnerability should be patched as soon as possible. "You're on a timetable against the hackers out there,' he said.
Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., will wait to deploy the update to her workstations until testing it later on this week. Because the update doesn't address the CanSecWest bug, Bradley feels she cannot rely on patching alone and must have other means to protect surfing. "That means not running as administrator, using Web filtering at the edge, and using [services] like www.opendns.com to block categories of risky websites,' she said via email.
The advisory states that customers who enable automatic updates will not need to apply the patch manually. For those patching manually, Microsoft recommends that customers apply the update immediately.
According to today's advisory, this security update is rated "Critical" for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. The update is rated "Important' for Internet Explorer 6 on Windows servers and "Moderate" for Internet Explorer 8 on Windows servers.