We reported here a few days ago that Microsoft had released an emergency security advisory for a zero day vulnerability discovered to affect all supported versions of Internet Explorer. Today they put out a patch, so stalwart IE users can breathe a little easier after it’s applied, and IT pros can get ready to test and roll out another out-of-band update.
Although they issued instructions for a workaround to protect IE 10 and 11, by using the Enhanced Protected Mode in those browser versions, the Microsoft took a lot of flack for not immediately having a patch ready. This is considered an especially serious vulnerability because IE has so much of the web browser market (estimated at 55 percent) and so it can potentially affect a very large number of computers. Users were made especially uneasy by the fact that the vulnerability was already being exploited in the wild.
FireEye reported that a hacker group was taking advantage of the vulnerability in targeted attacks on corporate users and dubbed the attack campaign “Operation Clandestine Fox.” Websense researchers went through almost 20 million crash reports and discovered evidence of attacks on components in the VGX library that utilize the vulnerability.
Popular publications jumped on the “IE is unsafe” bandwagon (despite the fact that remote code execution vulnerabilities that pose a similar risk are regularly found in Chrome, Firefox, IE and pretty much all web browsers; it’s the nature of the beast). Slate called it “One More Reason to Stop Using Internet Explorer,” although the article itself didn’t quite live up to the headline, focusing on the risk of using old versions of IE.
Even the U.S. Department of Homeland Security got into the act, recommending that computer users use an alternate web browser instead of Internet Explorer, until a fix was issued. The U.K. government’s National Computer Emergency Response Team announced similar advice.
U.S. CERT was a bit less drastic in its advisory, pointing users and IT professionals to Microsoft’s advisory for mitigation actions and suggesting that those running Windows XP (estimated to still consist of 15 to 25 percent of computer users, depending on the source) use an alternate browser.
My advice would have been stronger; I would have advised that those running XP use an alternate operating system, since that OS is no longer supported and no longer gets security updates. In fact, many IT security experts and pundits are using this as a persuasive argument for why it’s time for everyone to upgrade from XP sooner rather than later, with Tony Bradley creatively calling the exploit “the first sign of the XPocalyse.”
The security update released today (Thursday, May 1) identifies the severity rating of the vulnerability as critical on Windows client machines and moderate on Windows Server systems. That’s because the web browser on the server operating systems has Enhanced Protection mode enabled by default. Server core installations, of course, are not affected since they don’t run a web browser at all.
The update is numbered MS14-021 and the update requires a restart, which won’t thrill IT admins. Interestingly, Microsoft’s Security Bulletin Summary for this update shows MS14-021 as applicable to IE 6, 7 and 8 on Windows XP SP3 and XP Pro x64 SP2, even though several non-Microsoft sources have made the statement in reports on this issue that XP machines would not get an update for this vulnerability. The security bulletin itself also lists XP and there is a section at the bottom that contains security update information for XP, so it appears that Microsoft is bringing XP out of non-support temporarily to fix this very serious flaw.
Microsoft notes that you need to install the latest cumulative security update for IE before installing MS14-021. If you don’t do so, you may have compatibility problems. If you applied any of the workarounds that were recommended prior to release of the update, you might need to undo them (depending on which you used). You’ll find more information on how to do that in the FAQ section of the bulletin.
For more information, see the bulletin.