« Size matters, but so does resolution | Main | Browser security – an update for 2014 »
Tuesday
Apr292014

Internet Explorer Vulnerability - what to do

 

image

Internet Explorer vulnerability CVE-2014-1776

-----------------------------------------------------------------------------

An update: Microsoft has released an out-of-band security update to address this issue, even on now-unsupported Windows XP systems.

http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx

 This update will happen automatically unless automatic updates are disabled on a given system.

-----------------------------------------------------------------------------

 

There has been a great deal of press about this, but few answers. We have attempted here to offer alternatives and a little perspective.

Summary:

Until Microsoft releases a fix for this issue, you can:

Use Google Chrome (Download Chrome and allow it to become your default browser, for now)

or

Disable Flash Player in Internet Explorer(just use these instructions but select Disable instead of Enable)

or

Ask us for help. That’s what we’re here for!

More information:

This vulnerability affects nearly all versions of Internet Explorer still in use. As our clients know, for a variety of reasons we recommend against the grain of popular (if ignorant) culture: use Internet Explorer. This means Internet Explorer 10 or 11, which, for whatever lack of cool the popular culture finds with them, are still the most secure browsers available. (http://www.interconnected.com/interconnectnow/2014/4/29/browser-security-an-update-for-2014.html). For users of MacOS or people who use both, we recommend Google Chrome as a reasonable second choice.

For now, a serious exposure exists that can under certain narrow circumstances compromise computer security  on a computer using Internet Explorer. While there has been no fix yet from Microsoft, and no definitive statement from Symantec or other antivirus / firewall providers about their ability (or lack thereof) to mitigate this, there are steps users can take.

One prudent path, regardless of which of the following alternatives one chooses, is to avoid, for the time being, visiting web sites with which you are unfamiliar. Going to Fedex, or LL Bean, or Amazon.com is not going to compromise your computer, no matter what browser you are using. Searching for things and visiting oddly-named web sites that are the results of that search, might. Browse with a little more caution until Microsoft resolves this issue.

Beyond the above, here are some alternatives:

Do nothing. Most people will follow this path. This vulnerability has been there for years and hasn’t affected most computers. This is the same logic that allows people to drive for years without wearing a seatbelt or a motorcycle helmet. It’s risky, but a lot of people do it and only a small percentage of them pay any price for this risky behavior.

Switch browsers. This is the simplest solution. You can use another browser until Microsoft patches this. Some have advised using Firefox, which arguably puts you more at risk than doing nothing, due to the overall low security provided by Firefox. If you feel like using an alternate browser, use Google Chrome. Keep in mind that apart from the current vulnerability, which will be fixed, Chrome is in general not as secure as Internet Explorer, and we do not recommend using it as your primary browser except in these and other narrow circumstances. The exception to this is for MacOS users, for whom Chrome is the most secure browser generally available. We do support having Chrome installed on a system as a backup in case of issues with Internet Explorer.

Chrome is here:  https://www.google.com/intl/en/chrome/browser/

Disable pieces of IE that are required for the vulnerability to be used. If you must or prefer to use IE, Symantec has developed a way to stop the vulnerability by unregistering a piece of IE that is exploited by this issue:

Disable vgx.dll. Users can consider mitigating the issue by unregistering a DLL file named VGX.DLL. This file provides support for VML (Vector Markup Language) in the browser. This is not required by the majority of users. However, by unregistering the library, any application that uses the DLL may no longer function properly. Also, some applications installed on the system may potentially re-register the DLL. With this in mind, the following one line of instruction can be executed to make the system immune from attacks attempting to exploit the vulnerability. This line of instruction can be used for all affected operating systems:

"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

We have developed a batch file that can be used to perform the task for those who may be required to administrate large IT infrastructures.

bat_icon.png

Note: Users will need to rename the file using a .bat extension.

The batch file has the ability to verify the current state of the DLL file and unregister the DLL as needed. The script outlined in the batch file is very simple and can be used as a basis to customize the code to fit the needs of certain system environments.

Although no special tool is necessary to mitigate this particular vulnerability, please note that recommendations, such as the one provided here, may not be possible for future vulnerabilities. We recommend that unsupported operating systems, such as Windows XP, be replaced with supported versions as soon as possible.

Disable Adobe Flash for Internet Explorer. According to FireEye, the organization that identified this defect, “…the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.”

Notes: Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

Microsoft will fix this issue in Windows Vista, Windows 7 and Windows 8 systems.  If you are still running Windows XP, and you’re a client of Interconnected Technologies, we have discussed the issues with this for some time. This newly-identified vulnerability is the first obvious occurrence of an issue that will not be fixed by Microsoft in Windows XP, which is no longer supported.

And, as always, if you are a client, or would like to be, please contact us to discuss this issue if you have questions.

References (11)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>