For the second time already in 2010, Microsoft's Patch Tuesday security bulletin release has come with a footnote--an unpatched zero-day exploit affecting Internet Explorer (IE). Security vendors are reporting more incidents of this new IE vulnerability being exploited in the wild, so IT administrators need to understand the threat and take action to protect vulnerable browsers.
Ben Greenbaum, senior research manager for Symantec Security Response, explained via e-mail "At this point in time, we're seeing limited attacks in the wild as the result of an unpatched bug in certain versions on Internet Explorer."
Greenbaum described the threat. "Based on the limited attack attempts we've seen, we believe the zero-day exploit was used as a targeted attack. In our tests, we found a fully-patched version of Internet Explorer 6 to be vulnerable to the exploit code. The exploit is carried out simply by visiting a Web page hosting the vulnerability. When the browser opens the page, the exploit causes the user's computer to download and execute another piece of malware, which is an Infostealer/Backdoor Trojan."
In January, the unpatched IE flaw was leveraged to launch the Operation Aurora attacks against Google and other companies in China. Ultimately, exploit code circulating in the wild forced Microsoft to accelerate its patching efforts and release a fix off of the normal Patch Tuesday cycle--an out-of-band patch.
Opinions are mixed about whether this IE flaw represents a serious enough threat to warrant another out-of-band patch from Microsoft. "The decision to deliver an out of band patch depends on two things; changes in the threatscape and pressure from customers. If there is an exploit for this vulnerability that's hitting a lot of customers then I'd expect Microsoft to respond," explained Andrew Storms, director of security for nCircle.
Symantec's Greenbaum believes "since attack attempts are taking place nonetheless, it's possible Microsoft may consider an out-of-band patch for this issue--an approach the company actually mentions in its security advisory on the issue. Otherwise, we would expect to see this patched as part of a regular scheduled release sometime in the near future."
Qualys CTO Wolfgang Kandek is more skeptical that we'll see an out-of-band update. "It is a very recent disclosure and it will take Microsoft some time to analyze the problem, code the patch and perform their regression tests. Due to the time needed to perform all these steps, I do not expect an out-of-band patch."
Kandek clarified his position, stating "If you recall, Microsoft was able to provide a quick out-of-band turnaround for the last zero-day because they had known about the flaw some time before and were already in the last stages of testing."
Greenbaum added "According to Microsoft, Internet Explorer 8 is not affected by this vulnerability, so downloading and using this newest version of the browser will also help."
IT administrators can protect affected browsers--IE6 and IE7--by following the guidance provided by Microsoft in the security advisory. Qualys' Kandek agrees, directing users and IT administrators to "look into the work-arounds that Microsoft provided. There is a quite specific fix in the advisory suggesting to change the ACLs on a specific DLL."
One last bit of advice. It should go without saying--and yet it apparently needs to be repeated frequently: use common sense. Greenbaum summed it up "As always, users should follow all other security best practices, including being wary of links in e-mails and IM messages."