Operation Aurora: More on the IE zero day

Following last week’s announcement of the new zero day vulnerability in Internet Explorer, and its role in high profile, targeted attacks [1,2], the news wires have been hot with announcements about ‘what to do’.

Particularly strong warnings have been sent within Germany and France, with web users urged to use alternative browsers until a patch is made available.

Personally, I find such actions a little surprising, and though they may be well intentioned, they are not necessarily helpful. Or perhaps not as helpful as they could be. I am all for raising user awareness and alerting individuals to the malicious threats that are out there – user education is something to be encouraged. But advising “a change in browser” actually does a poor job of educating people about the real web threat that is out there.

For starters, all browsers suffer from vulnerabilities. CVE-2010-0249 is what we are talking about at the moment, but other browsers are targeted. As far a user’s browser goes, the important thing is to avoid using legacy versions and ensure that it is fully patched.

The advice also gives the impression that the web threat starts and stops with the browser. Actually, many other applications that the browser may interact with may be targeted by attackers (browser plug-ins, extensions and the like). A topical example currently would be (the ubiquitous) Adobe Reader, which has been somewhat hammered by malware throughout 2009, as readers of our blog will be aware [4].

Finally, and perhaps most worryingly, this type of advice feeds the “right now we have a problem, but as soon as the patch is available, we can relax” school of thought. Will the online world be significantly safer once this patch is available and widely deployed? Generally speaking, probably not.

In my opinion it is better to take this opportunity:

  • to educate users about web threats as a whole. In just a few weeks it is Safer Internet Day 2010. The publicity that this exploit is generating could be used to encourage users and organizations to participate in the event and learn about safe computing.
  • to review the browser(s) being used in an organization (i.e. not the knee-jerk reaction of simply switching). This exploit could be the driving force for organizations using IE to upgrade to IE 8 (or, if IE7, ensure that DEP is enabled).
  • to review the configuration of the security products being used. Are all relevant features actually enabled and configured correctly? For example, the BOPs and HIPs (see below) technologies included in the Sophos endpoint product are configured to run in “alert only” mode by default (reporting but not blocking events).

As detailed in the previous blog posting, and within the vulnerability assessment page, Sophos protects users against malicious code attempting to exploit this vulnerability in a variety of ways:

Buffer overflow protection (BOPs). The BOPs technology included in the SAV endpoint product provides generic protection against malicious web pages attempting to exploit this vulnerability.

Script detection. Detection for the malicious scripts used in web pages to exploit this vulnerability has been added as Troj/ExpJS-N. Pro-active detection of some malicious scripts seen is already provided with Mal/JSShell-B.

Payload detection. The payload of the publicized attacks is a variant within a large and well established family of remote access Trojans, known as ‘PcClient’. Detection for the specific variants involved has been provided as Troj/Spy-EY, and the Mal/PcClient-I generic has been updated for additional protection against future variants.

On top of this, the runtime protection offered by HIPs provides a significant boost in protection against the payloads that this and future attacks attempt to infect users with. Of course, filtering web traffic to block access to known malicious, high risk or low reputation sites significantly increases the protection of users against all malicious web attacks (irrespective of browser choice!).

Update: Microsoft have announced that they will make a patch available for this ahead of the scheduled patch Tuesday in February. In the meantime, there is a need for careful and considered strategies in mitigating attacks, and not knee-jerk reactions.