Microsoft will be releasing an out-of-band patch (on Monday 14 January 2013 in the USA) for the recently-disclosed zero-day hole in Internet Explorer.
→ The adjective out-of-band in this context is a bit of a metaphorical stretch, but it’s what the industry has settled on. It doesn’t mean that the patch will arrive via a different frequency channel, as it might in telecommunications. You can still get the patch using Windows Update. It’s just outside the usual schedule of patches issued every month on Patch Tuesday.
Actually, we can’t be 100% certain that last December’s vulnerability, documented by Microsoft in Security Advisory 2794220, is the one that will be fixed.
All we know from the 1750 words in Microsoft’s early announcement boilerplate is that Redmond will be fixing “a security vulnerability in Internet Explorer” that is denoted Critical:
Critical: a vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Nevertheless, I’ll assume that tomorrow’s fix will deal with Security Advisory 2794220. And on that basis, I urge you to follow Microsoft’s own advice:
Microsoft recommends that customers apply Critical updates immediately.
Update: Microsoft emailed us to confirm that the patch is indeed for the vulnerability documented in Security Advisory 2794220.
When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble.
As we reported already, several websites have already been disseminating malware using this exploit, triggering it with a mixture of HTML, JavaScript and Flash.
Microsoft already published a temporary FixIt tool to protect against this vulnerability. It also recommended its epically-named Enhanced Mitigation Experience Toolkit (EMET) for an layer of mitigation for this and other vulnerabilities, known and unknown.
→ EMET is somewhere between a process-hardening tool and a sandbox, forcing security protections onto programs that don’t have them by default, and adding an additional layer of protection to software that includes code in which a security holes have been found.
However, there are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft’s abovementioned FixIt.
Update: Microsoft emailed us to confirm that the patch addresses all known exploits against vulnerability 2794220, including the variants that claim to work around the FixIt.
Sadly, too, Metasploit, the vulnerabilities-anyone-can-exploit-for-free product, already has what it calls a browser auto pwn plug-in you can download to exploit this vulnerability yourself.
In short, tomorrow’s patch is one to push out and then deal with any fallout, rather than the other way around.
By all means, test, digest and deploy. But make this one of those patches you deal with in hours, or in the worst case, days. Not in weeks, and very definitely not in months.
Note also that the 2794220 vulnerability affects neither IE 9 nor IE 10. If you’re already using one of those versions, you’re sitting pretty.
Both IE 9 and IE 10 include designed-in improvements intended to boost security, so if you’re clinging to older versions for legacy reasons, please give earnest consideration to striking camp and setting up afresh.
For a discussion of priorities when patching, why not listen to this Technow podcast, in which Chet and Duck discuss whether you should you lead, follow, or get out of the way when patches roll around:
(19 July 2012, duration 15’25”, size 11MBytes)
Sophos Anti-Virus on all platforms blocks malicious files relating to this vulnerability as follows:
• Exp/20124792-B: Various files associated with the exploit
• Sus/Yoldep-A: Seen in related (“Elderwood Project“) attacks
• Troj/SWFExp-BF: Flash component used to trigger exploit
• Sus/DeplyJv-A: JavaScript components from related attacks
I would like to point out that variants of the exploit can only bypass the EAF mitigation of EMET. No other mitigations of EMET appear to be affected.
This was mentioned by Jonathan Ness (Microsoft’s Security Development Manager) in his Twitter feed:
https://twitter.com/jness/status/2886813186430279…
In addition, the Fixit solution was effective against the most common variants of the exploit but not all variants of the exploit. Here are the links that mentioned this:
http://www.computerworld.com/s/article/9235281/Re…
http://blogs.technet.com/b/msrc/p/january-2013-se…
As Paul has mentioned, install the security update as soon as you can if you are using IE 6 to IE 8.
Thanks.
In the following MSRC blog post, Microsoft confirms the patch will fully address the issue mentioned in Security Advisory 2794220:
http://blogs.technet.com/b/msrc/archive/2013/01/1…
I hope this helps. Thanks.
It does. Plus, Microsoft emailed us overnight to confirm my assumption (and to confirm that the original security bypass plus the security bypass that bypassed the FixIt are all dealt with).
We updated the article to clarify.
Thanks for the notification.
Hi Paul,
It’s great news that both of the security bypasses have been fixed, I didn’t know that.
I appreciate your thanks for the notification. I am just trying my best to keep everyone informed.
"Sadly, too, Metasploit, the vulnerabilities-anyone-can-exploit-for-free product, already has what it calls a browser auto pwn plug-in you can download to exploit this vulnerability yourself."
Wow, Duck…I wasn't sure I was interpreting that correctly—that anyone can download the Metasploit software for free. My first thought was, one can understand how those who create such "products" seek to plunder (not profit) through their sale to others who have ill intent. But in the case of Metasploit, what is their motivation? Anarchy? Chaos? Entropy for entropy's sake (…by which I mean "entropy" in the physical sense, not the informational sense)? Or maybe it's just the chance to revel in some self-created notoriety?
So, I Googled Metasploit and found that it was created about 10 years ago as a tool for vulnerability analysis, testing, and mitigation…that is, as an open source project with am apparently legitimate purpose.
Alas, evidently it can be used for illegitimate purposes as well. I visited the "Exploits" page on the Metasploit website and started counting the downloadable exploits. I stopped counting after I reached 50, which was only about an estimated 5% of those listed, judging by the position of the browser's scroll button. So that means there are something like 1,000 exploits, downloadable by anyone for free! YIKES!
My concluding thought was, "How can legitimate security researchers keep up with that kind of potential for chaos?" It gives me a whole new appreciation for what you folks at Sophos do.