18
Aug 15

Microsoft Pushes Emergency Patch for IE

Microsoft today released an emergency software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE).

IEwarning

According to the advisory that accompanies the patch, this a browse-and-get-owned vulnerability, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site. Windows users should install the patch whether or not they use IE as their main browser, as IE components can be invoked from a variety of applications, such as Microsoft Office. The emergency patch is available via Windows Update or from Microsoft’s Web site.

Microsoft’s advisory does not say whether this flaw is actively being exploited by attackers, but security experts at vulnerability management firm Qualys say it’s already happening.

“The vulnerability (CVE-2015-2502) is actively being exploited in the wild,” wrote Wolfgang Kandek, chief technology officer at Qualys, in a blog post about the update. “The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected.”

According to Qualys, attackers are using a number of mechanisms to increase their target reach and lure users to the webpage  including:

  • hosting the exploit on ad networks, which are then used by entirely legitimate websites
  • gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials
  • setting up specific websites for the attack and manipulating search engine results
  • send you a link to the site by e-mail or other messaging programs

“Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks,” Kandek wrote. “Patch as quickly as possible.”

The patch comes just one week after the company released a slew of IE updates and other fixes for security flaws in Windows and Windows components as part of its regular Patch Tuesday monthly patch cycle (the second Tuesday of each month). The advisory credits a Google employee with reporting the vulnerability.

Update, 6:10 p.m. ET: Added comments from Qualys.

Tags:

57 comments

  1. Windows Update, and all locations for this update and article, only cycles back to the Windows 10 download-install prompt and disappears any link to download for downloading the update for other OS’s. I guess they want to fore Windows 10 instead of allowing this critical update to IE.

    Looks like it’s time to leave MS entirely and go with Apple.

    • Come to think of it, I don’t use IE at all, never have. Why not just uninstall IE?

      • As Brian noted in the article, you use IE (really Trident/MSHTML) when you use various other things, including Office (e.g. Outlook, or Word), and even Windows Help. Anytime an application wants to render HTML and doesn’t want to get into the web browser business (which is rough), it’s probably using MSHTML and thus if you don’t update IE, you’re probably at risk if you use that application (well, it depends on what content that application encounters, but if it accesses foreign/unconstrained content, it’s almost certainly a risk).

        Note: While someone could package Gecko, or Blink, or WebKit, or KHTML, unless they automatically update it, they’re going to be even more of a security risk than just using Trident. Chrome and Firefox automatically update, so they’re pretty good. Safari for Windows hasn’t updated in 3 years…

        • Safari for Windows was quietly discontinued. It’s still available for download for anyone obstinate enough to insist on using it, but that’s why the updates (which were coming at a trickle) stopped.

          You know Apple, once they update something to X+1 or X+2 there’s no way they could possibly ever backport those fixes to X, it’s just impossible (replete with flailing arms).

    • The Windows update option is still there. On the Windows Update screen there should be a check for updates or install updates link just below the Windows 10 download and install message.

    • Eaglewerks you has a wide knowledge about NT 4.0, MS XP, W7, W8.0 & 8.3, and WX. I love reading the technicalities, but I yeah some of those it’s hard to follow. Through reading your post, I got some ideas how technology works. Thanks a lot

  2. Who on earth is still using IE‽

    • About 12 percent of the readers of this blog, actually.

      • That means 88% of us know better. 😉

      • What browser is completely safe? Love the book Spam Nation by the way. I’m using it as research for a presentation on Cybercrime.

      • 12% use, or report as using? My understanding is that some browsers can be made to report they “are” something else to avoid compatibility problems.

        IE7 has been around since October 2006, and NINE YEARS LATER a major security problem has been discovered? Let us all remember than Windows 10 is 10.0 and, except for DOS 5.0, all dot-zero releases were, and probably still are, something to avoid.

        Jonathan @nc3mobi

    • Some companies require their employees to only use IE.

      • Those companies typically use IE only for their intranet applications and many have IE locked out of the internet altogether. That’s why many of them are still running IE 6–so they can keep using undocumented legacy code written by the guy that retired in 2000.

        • Just for reference, the DVLA (UK’s driver licencing) head office, which holds PII on most of the UK adult population, forces use of outdated IE versions for ALL web browsing.

          While they do this for legacy code support, you’d assume a target with quite such high-risk data storage would be slightly smarter than this.

          (to be entirely fair, their physical security, and security on actual access to the data itself is very good, but that wouldn’t stop bad guys screenwatching several employees for this information when they access it as normal)

    • I actually have clients that deny the use of any other browser via AD policies.

      • Please tell me you’re kidding. I’ve seem some insane stuff in the IT world, but not that.

        • It actually makes a lot of sense of you can get away with it. Organizations, both public and private, don’t have the IT staff to effectively manage more than one or two browsers along with all the other security and business requirements they struggle to meet. Sadly, IT and IT security are budget items.

          • Not to mention IE actually is built to be managed. Deploy, configure, enforce, restrict, patch and audit it centrally, on your own timeframe, with or without the willing cooperation of the users. And its mitigation technology is actually pretty solid, unlike a certain popular competitor that still runs with the user’s full privilege level, while ratcheting up its version number every six weeks “just because.” You know who you are.

            As the slogan went in the ’80s, “this is not your father’s Oldsmobile” 😉

            • Mmmm… I’d rather have a process exploit gain user level access than a process exploit gain SYSTEM level access, which is what happens a disturbing amount with IE exploits since a large amount of IE isn’t running as the user.

              Chrome Enterprise actually has AD templates that can enforce most browser settings, and FirefoxCE (/CE ESR) is available from Frontmotion with similar configurability. Though the guy running FM is being worked to death by Mozilla’s keep-up-with-Google-release-schedule game.

              • I read Microsoft’s security bulletins routinely, and the recurring theme for IE is “an attacker who successfully exploited this vulnerability could gain the same user rights as the current user” in the worst cases. And even that would require escaping Protected Mode. With hundreds of thousands of machine-hours on IE-equipped systems behind me, I judge it to be one of the better picks in general, and for manageability especially.

                If you’re looking for SYSTEM-level exploits, maliciously-crafted fonts seem to be a hot one lately, but that’s not specific to IE. Easily dealt with, just set a Group Policy setting and IE will not download fonts in the Internet Zone (or whatever zones you prefer). On that tangent, I see Win10 has moved font processing back out of the kernel. Makes sense.

                For those who do want to boost IE security, here are some suggestions: enable Enhanced Protected Mode (Advanced tab of Internet Options), 64-bit tab processes (ditt0), ActiveX Filtering (gear icon > Safety, or in Group Policy of course), and use Qualys BrowserCheck to make sure your add-ons are up-to-date. Uninstall add-ons you don’t need, such as Java. If you’re qualified for a free Windows 10 upgrade from Windows 7, then think it over… Enhanced Protected Mode will be significantly stronger on Win10, where each IE tab ends up in a super-sandboxed AppContainer of its own.

    • Hi Tom R,

      The article actually states that (all) Windows users should install this patch, regardless of whether they are using Internet Explorer.

      It explains that this is necessary because “… IE components can be invoked from a variety of applications, such as Microsoft Office.”

      Regards,
      Peter Selig

  3. as of 1851 hours EST no download links work sigh

    • I just uninstalled IE. Feels so good. Now I’m shed of IE and Flash. Anyone wants me to watch their videos now have to put up a HTML player or go without my eyeballs (attention, business, money, etc.). Feels very good.

  4. My previous company uses IE a lot.

    • What do mean “previous”? Did they have to go out of business because of IE? Seems fitting, if that’s what you meant.

  5. FWIW, MS is pushing this patch to Windows 10 users as well, where IE is supposedly not present?

  6. I understood that Windows 10 users can still run IE11 instead of Edge, so they would need the update too. As for “uninstalling” IE from Windows, first, surely IE is “baked into” Windows? Disabling it is one thing, but removing it entirely would be much more difficult. And second, there are applications, some of them third-party, which require IE to be present on Windows for them to work properly, or even at all – McAfee for instance uses IE files and settings for its own user interface.

    • You can uninstall an updated version of I.E. (like uninstall I.E. 11) and the version that was being used previously (I.E. 10 or I.E. 9) will be in place – guess that is what the person was referring to with uninstalling (of course the old version will have a ton of unpatched vulnerabilities waiting, till the old version is updated).

      But like you said, the base version of I.E. is part of the Windows OS and I don’t believe you can uninstall it either (parts of the OS rely on I.E. to display html based system / help files etc.).

  7. There are a number of business applications that run and or are supported only in older versions of Internet Explorer.

    • Those businesses need to rethink their practices.

    • There are also a significant number of websites whose rendering functionality is built around ActiveX scripts that simply will not fully function in a browser (like Firefox) which won’t process AX.

      • Interesting. So in that vein maybe too it is time to abandon IE and the also the famously insecure active x and java, just as it is time to abandon Flash, too much compromise than it is worth. Happy to manage to live life without them, and maybe if enough people do so, their creators can get the hint and stop thinking it is good enough to create things that create collateral damage and harm to others. Like Ashley Madison.

      • JimV wrote:

        > There are also a significant number of websites whose rendering functionality is built around ActiveX scripts

        Can you give some examples? The ONLY site I ever use IE for is Windows Updates…

        • My locally-owned bank uses a network processing system which requires IE because of the embedded ActiveX controls involved with account login, for one (despite my complaints)…and there are many others which simply will not render or function properly in Firefox even if I temporarily turn off all blockers and enable all scripts to run, but which will render/function just fine in IE.

  8. Realize that humans are not the only users of Web browsers–software applications use them too. Any process running on Windows has the capability of dynamically loading the IE API and use it to connect to any network port at any IP address. IE is the only Web browse guaranteed to be on every Windows machine, so apps that need HTTP/S connectivity will use IE by default or by fallback.

    Even though you (human) may never use IE yourself, it is likely that IE is the most used Web browser on your Windows machine.

  9. this hotfix patch workaround problems with windows update componentes, but cumulative updates security for ie 11 is a shield against malware and another potentially adwares

  10. Does anyone know if MSFT will release patches for IE in XP and 2003?

    • These patches are only being issued for currently supported operating systems. Server 2003 and XP are both end of life, thus no patches.

      • Unless your company / government is paying Microsoft for XP / 2003 patches – which Microsoft is continuing to do (bit of shame they aren’t offering them to smaller customers to purchase via a support subscription…they’d just make money and keep the internet safer…but whatever).

  11. They already have: I’m right now installing ‘Security Update for Internet Explorer 8 for WEPOS and POSReady 2009’…

  12. Thanks for the heads-up Brian.

    I run Windows XP and use Control Panel -> Internet Options -> Security to set ALL zones to HIGH. Does this reduce vulnerability to IE targeted exploits?

    POSReady 2009 has just received an update for IE8. I use EMET 4.1 update 1 and also Malwarebytes Anti-Exploit. I do not explicitly use Internet Explorer.

    I have noticed that Bit-Defender free uses IE runtime support for its GUI. Setting the Internet Zone to HIGH security hobbles Bit-Defender. Thus I do not choose to use Bit-Defender. It bothers me that such software should make use of IE in this way. No such corner cutting affects AVG 2015.

    • I too use XP (I have no choice – my hardware won’t run anything later, and I have no funds to replace my hardware; I also have legacy S/W that won’t run on later OS’).

      In addition to EMET and MalwareBytes I also use ZoneAlarm (free version) that helps by whitelisting all programs (can be a pain sometimes) and provides some antivirus support, and I have a hefty hosts file that I update frequently with entries for either dubious or known bad websites (it can sometimes make browsers misbehave, primarily because supposedly trustworthy sites seem to hand off some of their stylesheets to dubious partners’ sites, to force users to receive ads).

      If I really have to run later versions of Windows I use VMware’s VMPlayer to host them (with all of the above added) – VMware seem capable of doing this under XP whereas MS can’t, which says nothing good about MS and shows that VMware have some really good people.

      • I installed Windows 7 on a circa 2005 1.4Ghz P4 using a mismash of XP, Vista, & 7 drivers for hardware support. Ran better than XP on the same hardware. Just because the OEM says they don’t support X doesn’t mean the hardware doesn’t support X, it just means the OEM doesn’t want to support X on that hardware.

        Sometimes there’s no way, but OEMs seem to think people will just magically find money to buy new hardware if they don’t certify their old hardware for new OSes, so many times it’s just wishful thinking on the part of the OEM.

        • I need to keep one XP machine around because Canon isn’t offering Windows 8 drivers for my multifunction printer. They want me to buy a new printer, which ain’t happening.

          So when I need to print I do the flash drive shuffle between my Windows 8 system and the old XP system.

          On rare occasions, I do need internet access on the XP system. Can anyone recommend how to make this safer? I’m already doing regular scans with Avast AV and Malwarebytes (which obviously require internet access to update their databases). Anything else I should be doing? Thanks….

          • One thing you could do is set up a Windows XP virtual machine on your Windows 8 computer with VirtualBox. Be sure to download VirtualBox from the official website: https://www.virtualbox.org.

            Once you’ve set it up, you can install the printer drivers on the virtual machine. That way, you can easily set up a shared folder that will allow you to transfer files from the host (8) to the guest (XP). You no longer have to sneakernet your files to get something printed. As a side bonus, since virtual machines are used to analyze malware, most malware will refuse to run in a virtual machine.

            Note that setting up a virtual machine to print can be tricky. This forum has some tips: http://www.eightforums.com/virtualization/20443-printers-virtualbox.html

            As for making internet access on XP more secure, you could install a firewall on it. This is something you can do on both physical and virtual machines. You want something that can prevent all programs from making connections unless you allow them. I don’t know any off the top of my head, but I know XP’s default firewall can’t do this. It only blocks incoming traffic, not outgoing traffic.

          • For MS WinXP, I recommend ZoneAlarm which was one of the first free firewalls available for Windows computers. It has a long history of providing great protection against numerous types of threats. While the basic functions of ZoneAlarm remain the same as ever, ZoneAlarm has been refined significantly over the years.

            http://download.cnet.com/ZoneAlarm-Free-Firewall/3000-10435_4-10039884.html

            Good Luck with your endeavors.

  13. They can change the name of IE but “A rose by any other name….”

    A large percentage of issues can be avoided by using some other browser. The only way to completely get rid of IE is to get rid of Windows. That’s just the way it is. No update or patch will ever change that.

  14. Looks like I made a good decision a few weeks ago. All my computers at home are running Linux, 2 of them dual boot with Win7, and recently I made the conscious decision to unplug my cable modem every time I boot Windows, no Internet allowed. Can’t get infected if there’s no connection.

    I’ve had it up to here with Microsoft. First, the constant vulnerabilities. Second, trying to shove Win10 down my throat (I absolutely refuse to install that spyware). If I didn’t have to use Windows at work, I’d rarely ever run it.

    • Sure you can. Just connect an infected flash drive or other removable media. Look up stuxnet if you need a refresher on how it infected air gapped systems.

      • And I take it you plug in flash drives from unknown sources into your computer quite often? I don’t. The only flash drives I use in my machines are those I own myself, and only for my own backup or to transfer files to a consulting client (whose enterprise machines are locked down).

        I know all about infected USB drives – last company I worked for was taken down for 2 days because of that, which led IT to lock down USB drives on all computers company-wide (overkill, but not my decision).

        • You’re always one infected machine away from an infected flash drive. Also, do you really build your flash drives yourself from raw materials? That’s got to be time consuming.

  15. I see a bunch of I.E. bashing when I read the above, much of it is akin to the Apple vs P.C. Bashing or the MS/PC DOS vs whatever bashing or the Windows vs Linux Bashing…All of which is rather stupid and very tiresome. It is like farm boys arguing over which pick-up truck is best, Ford, Chevy or Dodge.

    I personally have used versions of an early browser developed by IBM for P.C. DOS ,project discontinued, back when Netscape Navigator was the browser of choice and Internet Explorer dominance was just a gleam in a developers eye up in Redmond. I later used IE because it was EASIER and much more SIMPLE than Netscape. Later IBM internally suggested that one might want a no frills Opera Browser. I loved Opera and used it for years on all sites it functioned with, except those occasional sites that only worked with a version of IE. When Opera became bloated I switched to early Firefox…which I must admit became very bothersome sometime prior to versions 38.0. I currently use Ff 39.0.3 which is recommending an up-grade to Ff 40+ something. Ff now only works “properly” on about 70% of the sites I visit daily. When I was using W7pro I would have to revert to IE10 or 11 when Ff screwed-up. Now that I am using WX I have found that MS ‘edge’ works flawlessly on all sites, even those that choke Firefox, and as such I am slowly transitioning to edge.

    I also KNOW that some of the internal code within all MS Operating Systems including NT 4.0, MS XP, W7, W8.0 & 8.3, and WX is also used by I.E. and other programs & aps, but is generally considered a portion of IE for up-grade/patching purposes. If you NEVER personally use I.E. you still NEED to do the I.E. up-date as that will ensure an OS that is properly patched/up-dated.

    • ok, maybe I’ll reinstate until I get my new Mac/book after the post-back-to-school price drop.

  16. Just so you geniuses know, I’m reading and posting this on a machine running win-98se (with KernelEx API enhancements, with 2 gb ram, a 750 gb and 1.5 tb SATA hard drive, 3 ghz P4), Firefox 2.0 browser.

    As for why, go read up on the fable “The Emperor’s New Clothes”. Because NT-based OS’s are woven with the finest, most expensive code.

    Because Micro$haft’s motto is: If it Works, it’s not Complicated enough.

    (and oh yea, I’ve executed many browser exploits, pdf’s and email-delivered malware on my system, and watched them crash as they flail around looking for this or that service or file to hook into. Makes me laugh.)