Tuesday, April 29, 2014

Got Internet Explorer? Get Pwned!

For Windows XP users, the grace period lasted about 3 weeks longer than expected, but it's over now. The first of what will likely be many never-to-be-fixed bugs has turned up, and it's a doozy.

Security firm FireEye this weekend reported a serious flaw in versions of Internet Explorer from IE6 through the latest and greatest IE11. Thus far active exploit in the wild has focused on IE 9 though 11 (which will not run on Windows XP), but this will surely change now that it is public. For a mind-bendingly thorough discussion of how the vulnerability is exploited, see FireEye's write-up. The Cliff Notes version is this: the attacker makes use of an Adobe Flash Player technique that bypasses some IE security measures, drops its own code into a certain point in memory, and then through the newly-discovered bug executes that code.

The even simpler version is this: if you use Internet Explorer and open up an affected web page (whether a bad site, or a legitimate site that has been compromised, or a malicious email message), the attacker now owns your PC. The truly nasty thing about this sort of bug is that you don't have to do anything unseemly to be hit. Similar vulnerabilities in the past have been exploited through clever advertisements submitted to popular and legitimate web sites.

The bad news for Windows XP users is, this will never get fixed. Microsoft ceased support for Windows XP (and for Internet Explorer on Windows XP) on April 8. The good news (for users of every OS) though is that this affects Internet Explorer and not the operating system, thus users of Chrome, Firefox, Opera, Aviator, and the myriad other non-IE browsers are not susceptible (this time).

Which means the easiest way to avoid this vulnerability is to simply use a browser other than Internet Explorer, at least until Microsoft releases a fix. There is another measure you might consider though. Microsoft put out an "Enhanced Mitigation Experience Toolkit" a few years ago. Brian Krebs wrote a pretty good summary of EMET last year; it's a simple install, it runs unobtrusively in the background, and it does a pretty good job of stopping many of the most common forms of malware from gaining a foothold. To install, go to Microsoft's EMET page and follow the link for the recommended version. Install the Setup.msi The default settings work fine for most situations.

Another option is to try out a new browser recently released by security firm White Hat Security. The Aviator Web Browser is built on Chromium but with several key differences. By default it runs in a mode very similar to Incognito, which does not log browsing history, store cookies, or cache data. Equally important for this bug, the browser does not run plug-ins such as Adobe Flash by default. You must specifically allow the plug-ins each time you load a page (or elect to allow plug-ins every time on a specific page). Since this bug is exploited via Flash Player, this has the effect of nullifying the access method to the bug (ignoring for the moment that the bug does not exist in the Chromium code base anyway). As a general purpose browser I find Aviator somewhat clumsy - there is a lot of "convenience functionality" consumers expect that relies on cookies and tracking. But as a layer of privacy and security, it has a lot going for it.


2014-05-01 1:00pm update: Microsoft today announced patch MS14-021, for all versions of Internet Explorer on all OSes, including Windows XP.