Microsoft announced that it will release an out-of-band patch--meaning a patch that breaks the standard Patch Tuesday release cycle--to address the Internet Explorer flaw at the heart of the attacks in China against Google and other targets. The announcement was short on details, but Microsoft promised to provide more information on Wednesday.
George Stathakopoulos, general manager of the Microsoft Security Response Center (MSRC), stated "We continue to see limited and targeted attacks against Internet Explorer 6 and encourage customers to upgrade to Internet Explorer 8. We also recommend customers consider deploying the workarounds and mitigations provided in Security Advisory 979352 until the security update is ready for broad distribution."
Andrew Storms, director of security operations for nCircle, commented on the unusual step of breaking the Patch Tuesday release cycle. "Given the never-ending lack of attention on the Microsoft IE bug, it was inevitable that [Microsoft] would release a patch on or before their regularly scheduled February release."
It is certainly true that there has been no shortage of media attention devoted to the targeted attacks in China, and the revelation that a zero-day vulnerability in Internet Explorer was apparently a prime attack vector. Germany and France have even added their two cents worth by recommending that everyone abandon IE--at least until a patch is available for the flaw.
The fact that the exploit code for the Internet Explorer vulnerability is now publicly available in-the-wild adds fuel to the fire. Storms points out that in the absence of the international attention on the attacks in China, this flaw probably wouldn't be updated out-of-band. "If the public vulnerability had not been tied to the Google breach announced last week, the bug would have been worrisome, but not nearly as epically perceived by many."
Dan Kaminsky, director of penetration testing for IOActive, offered his own cautious insight, "We know there is an exploit in the field that is causing some amount of damage using this exploit as its entry point, but this entire situation is defined more by what we don't know than what we do."
Kaminsky is alluding to the veiled and sparse information trickling out about the attacks. The Internet Explorer vulnerability has been confirmed as an attack vector, but there are hints and implications that there are others as well. Google has been identified as a target, along with as many as 30 other organizations--most of which haven't been identified.
The knee-jerk response to lay the blame at Microsoft's feet and scapegoat the Internet Explorer Web browser misses the point and ignores the larger issue that, not only was this a sophisticated and targeted attack, but that a foreign government is accused of perpetrating the attacks and the United States State Department is backing those claims.
An attacker with dedication and resources can find a way to compromise just about any Web browser or operating system. The impact of precision spearphishing attacks such as this, which leverage zero-day vulnerabilities to infiltrate systems and allow the attackers to extract information, is a much more serious security issue than whether or not Internet Explorer gets patched before February 9 (the next regularly-scheduled Patch Tuesday).
nCircle's Storms concurs "While the attacks were successful against many high profile companies, they are still of a limited and highly-targeted nature. For the mass majority of users, careful browsing practices coupled with up to date antivirus will provide significant risk mitigation."
Watch for more details on the timing of the emergency Internet Explorer patch tomorrow. Microsoft continues to investigate this situation, so customers can also look for the latest updates on the Microsoft Security Response Center (MSRC) blog.