Microsoft Corp. (NASDAQ:MSFT) has yet to patch a vulnerability in some versions of Internet Explorer that allow remote code execution, but not every corporation could easily change browsers, industry experts say.
Last weekend, the German Federal Office for Information (BSI) Security warned users against using versions 6, 7 and 8 of the browser until Microsoft patched the vulnerability referred to Microsoft in advisory 979352, the remote execution security hole believed to be connected to recent attacks on search engine Google Inc. (NASDAQ:GOOG)
Then the French Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique has issued its own warning to the same effect.
The security hole is also known as Operation Aurora.
The question of whether enterprise users should avoid Internet explorer depends on the size and complexity of the business, says James Quin, senior research analyst at Info-Tech Research Group of London, Ont.
“If the business is small enough or technologically sophisticated enough that it can easily manage the browser switch, then it should probably consider doing so,” Quin wrote in an e-mail to Network World Canada. “If not, it should ensure every other known vulnerability is patched, get anti-malware solutions fully updated and vigilantly watch its network traffic for anything that looks suspicious."
It isn’t easy for everyone to switch browsers, said Craig Schmugar, threat researcher for McAfee Inc. (NYSE:MFE) of Santa Clara, Calif.
“Internet explorer is heavily used,” he said. “There are applications written for it. Not everyone can switch browsers on a dime.”
But he did not say the French and German governments are offering bad advice, noting the Firefox browser, developed by the open source Mozilla project, does have vulnerabilities.
“The odds of (Firefox users) being attacked are less by virtue of the fact that the hackers are after the masses,” Schmugar said in an interview. “They go after Windows because it’s used by more people.”
The Canadian government hasn’t been vocal on this issue yet.
The Communications Security Establishment (CSE) describes itself as “the Government's repository for expertise in protecting sensitive information and ensuring the security of IT products, systems and networks.”
CSE referred a question about Internet Explorer security to Public Safety Canada, which said it is “working” on the query.
Public Safety Canada includes the Canadian Cyber Incident Response Centre.
In its security advisory last week, Microsoft said some versions of IE have an “invalid pointer reference,” that a hacker could access after an object is deleted.
“In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft stated. “At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer.”
Microsoft stated it is investigating and may provide a fix on its next “patch Tuesday” or before that.
“We are only seeing very limited number of targeted attacks against a small subset of corporations,” Microsoft trustworthy computing security general manager George Stathakopoulos wrote in a blog. “The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6.”
But now that the vulnerability has been made public, more users are vulnerable, Schmugar said.
“What initially seemed to be contained it now starting to expand,” he said. “It is likely people not associated with Operation Aurora will use it for all kinds of things not associated with intellectual property.”
The vulnerability also affects versions of IE 7 and 8 running on some but not all versions of Windows. For example, Internet Explorer 6 on Windows Server 2003 Service Pack 2 is affected. Microsoft lists 33 different affected configurations on the advisory it posted on its Web site.
“Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected,” the vendor stated.
Versions that are affected include:
-Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; and
-Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on Windows XP, Server 2003, Vista, Server 2008, Windows 7, and Windows Server 2008 release 2.
The flaw reportedly affected dozens of American companies, including Dow Chemical Inc. and Northrop Grumman Corp., which makes aircraft for the U.S. armed services, including the B2 bomber.
Security vendor VeriSign Inc. originally blamed a flaw in Adobe Systems Inc.’s Portable Document Format (PDF) software but retracted its statement later.
George Kurtz, McAfee’s chief technology officer, wrote in a blog on Sunday that the original purpose of the attacks was to steal intellectual property.
“I believe this is the largest and most sophisticated cyberattack we have seen in years targeted at specific corporations,” he wrote. “While the malware was sophisticated, we see lots of attacks that use complex malware combined with zero day exploits.”
McAfee warned users should be careful about clicking on links and opening e-mails.
“One attack we should watch out for, as despicable as it may sound, would be the combination of a phished email that exploited the IE vulnerability delivered as a ‘solicitation for donations’ to help the struggling Haitian people,” Kurtz wrote.
-With files from John Dunn