Recently in IE Category

The exploit for the Internet Explorer 6 and 7 vulnerability announced yesterday (KB981374) is public now. Late yesterday, Moshe Ben Abu published a Metasploit Module for the exploit after tracking down the exploit to a webpage.

> But Microsoft also released advisory KB981374 which describes a 0-day vulnerability
> reported to Microsoft only recently. At the moment only a limited number of targeted
> attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason
> to update to this latest version of IE. There are not a lot of details available on the
> vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.

The standard bulletins cover Windows Movie Maker/Producer and Office:

• MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
• MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.

But Microsoft also released advisory KB981374 which describes a 0-day vulnerability reported to Microsoft only recently. At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.

References:

• Microsoft March 2010 Bulletin
• Qualys Security Alert
  

Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.

There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.

Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.

MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.

MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.

Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.

References:

• Microsoft Security Bulletin
• Technical insight from Microsoft
• SANS ranking for February 2010 patches

Microsoft released today the patch for the critical Internet Explorer 0-day flaw that has been widely covered by us and the security community in general. MS10-002 fixes a total of 8 vulnerabilities, including the 0-day which is identified as CVE-2010-0249 and is attributed to Meron Sellem from BugSec.

In the MSRC blog post announcing the release, Microsoft gives some insight on how they were able to turn around this patch in record time. Meron had reported the vulnerability in late August of 2009 and Microsoft had it confirmed in early September. By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February Patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned. An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and are have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.

Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defense can be circumvented, we recommend applying this update as soon as possible.

Hi this is Richie again with some updates:

Internally we do not think of the IE 0-day that was released last week isn't something that is new or unique. Every couple of months a new exploit for a critical vulnerability is discovered in the browser space and all major browsers see their share. Exploits of these types are commonly used in targeted attacks ("spear-phisihing") against corporations. What is new is that the affected organizations are coming forward with information on the attacks - a positive trend that we encourage and hope will continue.

Technically, the attack was focused on the browser/OS combination IE6 and Windows XP, both close to 10 years old and near end of life. Microsoft has put a lot of work into increasing attack mitigation and surface hardening that reduces the risk of successful exploitation on newer versions of the Windows Operating System (Vista, Windows 2008, Windows 7). In general users should upgrade to a modern OS/Browser combination, at minimum the browser should be updated to IE8 or another modern browser.

As of now, the attacks are limited to a small target population and we have not seen widespread use of the exploit. We expect that to change in the coming days since details of the vulnerability have been made publicly available. Microsoft has released a Fix-It which will turn on DEP for IE and help mitigate the attack. However there is active research going on to bypass the DEP measure and its effectiveness could be limited.

Further Microsoft has indicated that they will release an out-of-band patch for this issue soon. We will keep you updated with new developments as they arise.

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

Hi, my name is Richie Lai and I am the Director of Vulnerability Research here at Qualys. Some of you might have seen me with Wolfgang during our monthly patch Tuesday webcasts. We have been tracking some developments surrounding a 0-day in Internet explorer and I just wanted to give everyone information we've gathered.

Today Microsoft released an advisory for Internet Explorer versions 6 above and on all platforms up to Win7. The current exploit that is in the wild results in code execution only on Internet Explorer 6 on XP. The vulnerability exists in IE DOM parsing resulting in a dangling pointer potentially exploitable for remote code execution. Even though the advisory lists all platforms as affected, there are a few mitigating factors.

First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system. While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running. Which is where the second mitigating factor comes in, Address Space Layout Randomization (ASLR). On platforms where both DEP and ASLR are enabled, exploitation is extremely difficult. In the mean time, we suggest Windows XP users run Microsoft's "Fix-It" from the advisory which will enable DEP for IE 6 or 7 on XP. Table outlining the current exploitability across all platforms and IE versions listed below. As you can see, having the most updated browser will significantly reduce your exposure to this vulnerability at this time. We will update you as we get more information regarding this development.

	Windows 2000	Windows XP	Windows 2003	Windows Vista	Windows 2008	Windows 7
IE 6	exploitable	exploitable	DEP protected	N/A	N/A	N/A
IE 7	N/A	exploitable	DEP protected	Protected by Protected Mode	N/A	N/A
IE 8	N/A	DEP protected with XPSP3	DEP protected	DEP and ASLR Protected	DEP and ASLR Protected	DEP and ASLR Protected

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

McAfee's CTO George Kurtz just published some deeper insight into the attacks against Google. According to him a 0-day vulnerability in Internet Explorer was used. Microsoft has just issued an advisory KB979352 acknowledging the vulnerability on all versions of Internet Explorer, except IE v5.

It looks as if the Adobe Reader 0-day was not directly involved, contrary to what we had assumed so far.

We will update this post when further information comes to our attention.

References:

• Wired post by Kim Zetter
• CNET News by Elinor Mills

Microsoft closes 2009 with its last regular patch release adding 6 bulletins bringing the year's total to 74. December's release is by our current standards a rather normal workload of 12 individual vulnerabilities. As expected Bulletin MS09-072 fixes the critical 0-day Internet Explorer vulnerability that was publicly disclosed just 3 weeks ago. Microsoft credits iDefense for the vulnerability, so it appears that they had been working on the issue already. Still Kudos to the team at Microsoft for the quick release. This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional 4 vulnerabilities, with 3 affecting Internet Explorer 8, including Windows 7. BTW, this is the only bulletin this month that affects Windows 7 and Windows 2008 R2.

Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments - we recommend fixing it as quickly as possible after internal testing.

MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.

The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.

The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year's resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.

Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

A mere 10 days after acknowledging the SMB flaw in Windows 7, the Microsoft Security Response Center (MSRC) released a new security advisory for new critical 0-day in Internet Explorer 6 and 7 as KB977981. A Proof of Concept for the 0-day was published on bugtraq on Friday, but it is not fully reliable against all combinations of browsers and OSs. Attackers are currently working on improvements to the exploit and we are expecting to see new versions soon.

The advisory proposes several work-arounds, but all of them result in restricted usability of the browser. As Internet Explorer 8 (and IE5....) is not affected for consumers the best option is to upgrade to IE8 or alternatively switch to another product. For enterprise customers IDS/IPS vendors and secure web gateways are able to deliver a degree of protection against the known exploits.

Qualys tracks this new 0-day under QID 90570

References:

• VUPEN Analysis
• Microsoft Advisory

October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.

MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.

The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.

Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.

Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

This month Microsoft released 5 critical advisories, addressing a total of 8 vulnerabilities. The focus is on the Windows Operating System family and all versions are affected. The notable exception is Windows 7 which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows.

MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.

As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.

Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

As announced last week Microsoft today released 2 bulletins, one addressing Internet Explorer (MS09-034) and the other addressing the ATL component of Visual Studio (MS09-035). The release outside of their normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority.

The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed. Ryan Smith will present on the issue at BlackHat in Las Vegas tomorrow and has a small preview up on his site....

This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:

• Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
• Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer

Both vulnerabilities are rated critical and are found in very common software components - all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.

Microsoft's July Security Bulletin does not have any surprises due to the intense pre-release activity around the 3 zero-day advisories that came out in the last 6 weeks. Microsoft had already announced that they would address 2 advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday's zero-day is left for later and users should apply the work-around published in KB973472. The 3rd critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included.These 3 advisories should be addressed immediately as they allow the attacker to fully control the victim's computer.

Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.

MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.

Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.

In addition we are working on the Oracle CPU patch release and are monitoring the Firefox 3.5 zero-day.

References:

• Qualys Security Alert
  

We just released our QID 110101 which detects the Microsoft Office Web Components ActiveX zero-day vulnerability that Microsoft released today as KB973472. Similar to last weeks zero-day vulnerability Microsoft is providing a workaround using their Fixit program.

The main attack vector is again Internet Explorer, a user can be infected by browsing a website that hosts the exploit without further interaction with a so called "drive-by" exploit. There have been a number of sightings already, which have prompted Microsoft for this out-of-band release - for more information take a look at SANS.

QualysGuard will not raise the vulnerability if you have the described workaround applied which inhibits the OWC10 and OWC11 classids that are susceptible to the attack. We will be enhancing the detection as more information about workarounds and patches becomes available. Due to the timing we do not expect this vulnerability to be addressed tomorrow at Patch Tuesday.

Microsoft released advisory KB972890 yesterday for a zero-day vulnerability found by ISS, warning of an attack on an ActiveX control for Microsoft Video. The main attack vector is for the user to browse a website that has the exploit installed with Internet Explorer- further interaction is not necessary, the attack is of the type called "drive-by". This makes the attack very dangerous as there is very little that Internet Explorer users can do to defend themselves. Security news here and here report that thousands of websites have started serving the exploits already, which is supported by the in-depth information that we are getting from our iDefense feed which has a long list of sites that are serving the exploits.

The described work arounds involve disabling 40+ classids in the registry, which should be scriptable by IT administrators. The Microsoft support website has a FixIt link which individual users can use to apply those changes to the registry.

QualysGuard detects this zero-day vulnerability as QID 90510, but does not raise it if you have the described workaround applied. We will be enhancing the detection as more information about workarounds and patches becomes available.

How do you deal with ActiveX controls, do you disable them in your default builds ? Let me know by sending feedback. We also will discuss this issue on our upcoming panel at the Black Hat security conference in Las Vegas with the present industry experts.

June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

• Qualys Security Alert

Microsoft's Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.

The most urgent patches to apply are the advisories that have working exploits - MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft's Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft's operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.

Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.

The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft's ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit

References:

• More details on the MSFT release process
• Interesting look into the making of one of the bigger patches today
• Qualys Security Alert
  

This week we looked at patterns in the deployment of the recent Internet Explorer patch MS09-002. Our main interest was to see if there were any changes in its deployment speed compared to previous IE patches. Considering that an exploit became available roughly a week after the release of the patch we thought that companies would accelerate the deployment given that the existence of the exploit makes the threat concrete. We normalized the detection data from MS09-002 and Microsoft's last cumulative patch to Internet Explorer MS08-073 to put them to the same scale and overlaid them in the same graph. To our surprise we found that nothing changed - no acceleration of patching, the curves follow a remarkably similar pattern:



However we noticed one anomaly - the absolute values (numbers found for each vulnerability) varied by a power of 10. MS09-002, which is only applicable to Internet Explorer 7 had much lower numbers, and plotting them to a common scale we found the difference to be between 80-90%. This means that Internet Explorer 6 continues to be the more prominent browser in the Enterprise.



Unfortunately this is bad news! IE7 is a much better browser than IE6 as IE7 has improved performance, compliance to standards and contains additional security features. Despite the public trend on the Internet that illustrates IE7 has surpassed IE6 in mid 2008, according to our live data enterprises persist on using what is tried and true. This is not only slowing the adoption of new technologies, but also affects the overall security of these companies and makes them more susceptible to attacks. In my experience with working with enterprise customers, this behavior still exists as IT teams try to control what version of the software end-users are allowed to use.  This is a disservice to them and to all of us in this industry.

Recommendations:

• Migrate away from Internet Explorer 6 - your most viable options at this point in time are IE7 and Firefox 3.
• Evaluate the potential impact of patching browsers in a faster rhythm - this would be a side benefit when the choice is Firefox but could also be implemented using Internet Explorer

Reference sites:

• Wikipedia Browser Statistics
• SANS ISC: MS09-002 exploit in the wild

The browser is the most popular used application to access the Internet. Microsoft Internet Explorer has the highest market share with over 60 %, making it on the average desktop the best attack target for malicious content. Therefore IE vulnerabilities should be given the highest priority and patched promptly. Yet, when we look at our data, this is not what happens. Our cumulative anonymously gathered data shows that overall users treat browser patches just like all other patches. IE's patch deployment cycle correlates very closely with that of other patches, critical or non-critical, even though exploits for browser vulnerabilities start appearing within days of their public release (see MS09-002).

We believe that IE patches are well understood and tested so extensively by Microsoft that they should be deployed promptly. An extensive in house testing period is probably not warranted for most companies as the impact on business critical applications is limited.  To improve the patch deployment speed for IE an interesting approach would be to remove IE from the monthly patching cycle all together and integrate automatic patching capabilities directly into the browser. Microsoft should rethink the patching cycle for IE and enable fast patching for IE similar to other browser vendors, such as Google's Chrome and Mozilla's FireFox, which require little or no interaction from the user. IE8 could be a great opportunity to investigate such a capability.

As we expected Microsoft is releasing an out-of-band patch tomorrow 12/17 for a critical Internet Explorer 7 vulnerability. The browser flaw had been disclosed roughly one week ago as a zero day vulnerability and active exploits have been around the internet for that timeframe as well. The work-arounds provided by Microsoft were very technical and quite cumbersome to implement making it imperative for Microsoft to release a fix as quickly as possible.

Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer we have seen one of the fastest turnarounds possible. Moving faster would require having specific mechanisms in the base code of the application allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products.