Remember the Internet Explorer (IE) zero-day bug that made the headlines a few days ago?
It went by the nerdy name of CVE-2014-1776, which ended up being surprisingly memorable in North America, because 1776 is the year of US independence.
Sadly, the problem first came to light as the result of a real-world attack.
In other words, cybercriminals found and exploited the bug before the good guys knew about it.
(That’s why it’s called a zero-day, because even a well-prepared user would have had zero days to install the patch, because there wasn’t one.)
Fortunately, the Bad Guys went for what Microsoft called “limited targeted attacks“, meaning that the crooks didn’t pump out booby-trapped web links indiscriminately, choosing instead to focus on a small set of (undisclosed) victims.
That means most of us got some sort of advance warning, together with numerous temporary measures, known as workarounds, giving us a way to protect ourselves while we waited for a proper fix.
→ Whether to attack the whole world or to zoom in on a specific victim depends on the motivation of the attackers. If the goal is to distribute a new strain of zombie malware far and wide, an untargeted attack will give the broadest results before a patch is available. But if the goal is industrial espionage, for instance, then attacking everyone in the hope of breaching a specific company might result in a patch coming out in time to save the intended victim.
The attacks actually seen in the wild targeted IE 9, 10 and 11; they also relied on a Flash file to help the attack along, and an IE extension from Microsoft called VGX.DLL used for vector graphics rendering.
So, although the cybercrooks were not using any bugs in Flash or in VGX.DLL, they relied on both components being available, so turning off either of them prevented the attacks from working.
Of course, there are two reasons why this sort of protection can only be considered partial and temporary:
- If you need Flash or vector graphics rendering, you have lose functionality in order to improve safety.
- The bug exists in all versions of IE, and so other ways of exploiting it, with or without Flash and VGX.DLL, might yet be found.
So, here is the good news.
Microsoft has issued a security bulletin announcing the immediate availability of a fix that closes this hole.
That means you won’t have to wait until next Patch Tuesday for an update.
The bottom line is:
- All versions of IE on all versions of Windows contain a security hole that could allow cybercriminals to implant malware on your computer with little or no warning.
- Microsoft has published a security update that closes this hole so it can no longer be used to attack your computer.
- We recommend you get the update as soon as possible if you haven’t already.
- Go to Control Panel | Windows Update if you aren’t sure where to start.
One last thing is that even XP users can get this update, which applies to IE versions from IE 6 to IE 11, rather than to Windows itself.
That’s a big mercy for those sticking to XP, for whom this attack would otherwise remain a zero-day forever.
PS. Microsoft’s decision to help out XP users and to patch right back to IE6 is not an excuse to put off your upgrade. This largesse from Redmond won’t go on forever, and by leaving yourself at risk, you risk harming the rest of us while you’re about it. Find out why: