A bad day for browsers, severe flaws... again

Filed Under: Microsoft, Vulnerability

Screenshot of IE Security Settings

Microsoft just posted an advisory on the recently discovered zero day flaw in Internet Explorer 6 and 7. It would appear that the workarounds are to use IE8, enable "Protected Mode" in IE7 on Vista, ensure Data Execution Prevention (DEP) is enabled for Internet Explorer, or disable all Active Scripting and ActiveX controls.

At this time Microsoft says that no exploit has been found in the wild, and they have not determined whether the fix will be part of a patch Tuesday roll-up, or released out of cycle.

Opera has also released a patch this week to a "Extremely Severe" vulnerability in their JavaScript engine. The heap overflow could lead to execution of code and users should upgrade to version 10.10 immediately.

This might seem like a good week to be a Chrome, Firefox or Safari user, yet they have all had major vulnerabilities patched in recent weeks as well. We need to be consistently vigilant in defending the most exposed software on our computer... the browser.

The safest thing you can do online is to reduce your attack surface. What I mean by that is to run a bare minimum set of applications with a minimum set of plugins or extensions. Keeping your applications patched is a daunting task, your only hope is to minimize your exposure and patch as quickly as you can when fixes are made available by vendors.

It may be necessary or desirable to have multiple browsers, or to choose a browser based upon how large a target it is. The important point here is that you should control and have awareness as to which applications are deployed in your network, and have a strategy to deploy patches.

Managing what applications you allow and having a plan to keep them up to date is the most important step you can take to securing your desktops against the web threat. You have multiple chances to block the malware before it attacks your system and you should use as many levels of defense as you are able.

Sophos customers can take advantage of several solutions to build a proper web defense:

  1. Sophos Web Appliance - Filters all incoming traffic through both our anti-virus engine and URL inspection technology. Our most recent release has enhanced protection against malicious JavaScript as well.
  2. Sophos NAC Advanced - Ensure that all of your desktops and laptops are patched before allowing access to critical parts of your network.
  3. Sophos Client Firewall - Help prevent application hijacking, and control which applications you allow to communicate on your network.
  4. Sophos Browser Helper Object - Internet Explorer users get additional protection from our BHO. The BHO looks for malicious client side code to prevent IE from executing potential exploits.
  5. Sophos Anti-Virus - Our Buffer Overflow Protection Service (BOPS) and Host Intrusion Prevention System (HIPS) technologies help prevent exploits from successfully dropping malicious code onto your computers. Application control can also be used to restrict which programs can execute, thereby helping you reduce the attack surface.

UPDATE: SophosLabs have blogged about this exploit as well. Sophos detects the proof-of-concept code pro-actively with identity MAL/JSShell-B.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.