Attacks against Internet Explorer browsers – What to do if you still run Windows XP

internet-explorer-pictures-internet-explorer-logo-pictures-ie-logo

{Updated April 30 @ 3 PM] -Late Sunday evening Microsoft released details about an ongoing series of attacks against Internet Explorer browsers.  This is a serious  vulnerability that  enables an attacker to gain control of a target computer by simply browsing to an infected website.

Microsoft has been working on researching this vulnerability with FireEye, one of EI’s antimalware partners, and have provided some information on the technical details of the attacks and some mitigation strategies while Microsoft works on a patch.

While this vulnerability affects virtually every version of Internet Explorer, the biggest concern is for those systems still running Windows XP, which reached End of Support status earlier this month, meaning no patches for security vulnerabilities are forthcoming.  So what can you do to protect yourself?

1. Use a different web browser.

chrome-ie9-firefox-logos-together

While Internet Explorer 8 is the latest version that will run on Windows XP (newer versions of Windows currently run Internet Explorer version 11), the latest versions of both Google’s Chrome and Mozilla’s Firefox run just fine on Windows XP.   While there may be some compatibility issues with internal applications, it is safe to allow the use of the older Internet Explorer browser within the network, and use Firefox or Chrome for all Internet based web browsing.

2. Install Microsoft’s EMET application

EMET

The Enhanced Mitigation Experience Toolkit from Microsoft provides a great deal of protection against vulnerabilities such as this one.  EMET installs like a regular application, and comes with a default profile to get you going.  The great thing about EMET is that you can apply this protection to any program on your computer, regardless of who wrote them.  A highly recommended install that will reduce your exposure to this and future vulnerabilities.

Microsoft’s EMET 4.1: http://support.microsoft.com/kb/2458544

3. Your normal account should not be an administrator level account.

user_account_8b

While we do not know if this particular vulnerability requires administrative rights on the target computer to be successful, we do know that the vast majority of attacks rely on the facts that almost everyone uses their computer with an account that has full administrative privileges.  In newer versions of Windows there are protection schemes in place like User Access Control to enable elevated rights when needed, and otherwise run at a normal user level.  But Windows XP does not have this feature, and for convenience most accounts are set up as administrators, and stay that way.  EI highly recommends that you modify your normal account to run as a regular user, and keep a separate admin account handy for installing and updating software.

4. Don’t click on links in email messages

300px-PhishingTrustedBank

In order for this attack to be successful, the attacker has to convince you to visit a page that he or she has embedded the exploit code on.  One of the most common ways to do this is through a “phishing” attack, where an email purporting to be from a friend, co-worker, or familiar company arrives asking you to visit a web page.  You should never click on a link, since the true destination is often hidden and difficult to detect at first glance.  If you get a notice from your bank that they have an important message for you, open your browser and navigate there directly, do not use the link in the email.  And if you do receive a suspicious email message, please forward that on to your security team for further review.

Microsoft’s security advisory: https://technet.microsoft.com/en-us/library/security/2963983

FireEye’s technical write-up of the vulnerability and attack methods: http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

[Update]: Microsft has clarified some of their guidance that was issued earlier, focusing on the EMET tool and other workarounds in great detail:

http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx

Leave a Reply