Microsoft's workaround for zero-day IE vulnerability may not be effective

Microsoft is pushing its Enhanced Mitigation Experience Toolkit to protect systems, but companies may want to temporarily switch browsers or disable Java

As Microsoft scrambles to roll out a patch for the latest zero-day vulnerability in Internet Explorer, IT admins again find themselves in the unenviable position of coming up with a temporary fix to secure corporate systems. There are options -- dump IE, remove Java, or download Microsoft's Enhanced Mitigation Experience Toolkit -- but these approaches have potential drawbacks.

For those who missed the alert, on Monday Microsoft announced it was investigating reports of a vulnerability in IE6, IE7, IE8, and IE9 -- but not IE10 -- that affects the way the browser accesses objects that have been deleted or improperly allocated. According to reports, malicious hackers have been exploiting the vulnerability to install via drive-by download the Poison Ivy Trojan, which can be used to steal data or take remote control of PCs. Jaime Blasco, manager of AlienVault Labs, told Reuters that malicious hackers appear to be targeting defense contractors.

Some security experts -- as well as the German government's Federal Office for Information Security (BSI, for short) -- have advised users to temporarily stop using IE until Microsoft issues a patch, which is expected in the coming days. That may be a sensible approach for home users and some organizations, but for companies that rely on IE to access particular online resources, temporarily moving to Chrome or Firefox may not be a viable option. In an enterprise environment with hundreds or thousands of users, rolling out an alternative browser -– with the necessary configuration and compatibility testing -- may prove a bigger headache than it's worth if, indeed, a patch is forthcoming. To Microsoft's credit, it has a track record of rolling out patches for zero-day vulnerabilities expediently (that is, in days instead of weeks).

Microsoft, meanwhile, offered its own workaround: Deploy its Enhanced Mitigation Experience Toolkit (EMET), a utility designed to help prevent software vulnerabilities from successfully being exploited by applying in-box mitigations. The toolkit allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), according to Krebs On Security. Microsoft provided detailed instructions on how to download and install EMET. The tool can be configured via command line or Group Policy.

Unfortunately, EMET may not be effective in preventing attacks that leverage this newfound vulnerability, according to Tod Beardsley, an engineering manager at security company Rapid7. The company has updated its Metasploit penetration-testing software so that security admins can use it to simulate attacks that exploit the security flaw to see whether their networks are vulnerable.

Microsoft also recommended that organizations set Internet and Local intranet security zone settings to High to block ActiveX Controls and Active Scripting in these zones. Doing so, the company cautioned, potentially has undesirable side effects that may cause some sites to work incorrectly.

Another potential remediation is to remove Java, according to security experts including Metasploit founder HD Moore and Marc Maiffret, CTO at BeyondTrust. The exploit relies on the presence of Java to execute -- at least on IE8 and IE9 on Windows Vista and Windows 7, Moore told Krebs. Unfortunately, the exploit works just fine without Java on systems running IE7 atop XP or Vista, as well as IE8 on XP.&

This story, "Microsoft's workaround for zero-day IE vulnerability may not be effective," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies