Modernizing Authentication — What It Takes to Transform Secure Access
With the publication of an exploit that takes advantage of a newly found Internet Explorer (IE) zero-day flaw, Microsoft's security mavens say they are working on a patch.
In the meantime, they have created an automated Microsoft (NASDAQ: MSFT) "Fix It" script that can reconfigure some users' systems to avoid the vulnerability. Along with other workarounds offered by the company, the move could help protect many customers -- but not all who are currently at risk.
As part of last week's Patch Tuesday bug fix release, Microsoft issued a Security Advisory warning users and administrators of a security hole in IE6 and IE7 that is already being used in active -- though, so far, limited -- attacks in the wild.
On Thursday, the threat escalated when a security researcher, who goes by the screen name Trancer, released a Metasploit module that implements the attack code for easy reuse by other hackers, based on hints he found on the Web.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
When Microsoft initially sent out the Security Advisory -- a preliminary warning that does not offer a full-scale patch for a security bug -- it said it had not yet finished evaluating the severity of the problem. Once working code emerged to take advantage of the flaw, however, the company jumped into action.
"We are working hard to produce an update, which is now in testing," Jerry Bryant, Microsoft's senior security communications manager lead, said in a post on the Microsoft Security Response Center blog Friday afternoon.
Microsoft patch ahead
While he didn't say a security patch will be delivered via what's called an "out-of-band" release -- meaning it would occur outside the normal Patch Tuesday bug fix process, which takes place on the second Tuesday of each month -- Bryant's post hinted that Microsoft is at least considering that approach.
"We never rule out the possibility of an out-of-band update," he said. "When the update is ready for broad distribution, we will make that decision based on customer needs."
However, Bryant added, getting an emergency patch out is not as simple as it might seem. Often, the largest gating factor is testing a new patch thoroughly.
"This is a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows," he said. "Additionally, each supported language version needs to be tested, as well as testing against thousands of third-party applications."
Among the workarounds cited by Microsoft since the zero-day surfaced: Users should upgrade from IE6 or IE7 to IE8, which is not at risk.
Another workaround is to set IE's security to "high," which blocks scripting.
Additionally, Microsoft has addressed the vulnerability by publishing a new Fix It -- an automated fix for common Windows problems. The Fix It changes the Windows registry so that the affected code, referred to as the "peer factory class," does not execute.
However, the Fix It only applies to IE6 and IE7 running on Windows XP and Windows Server 2003.