This morning US CERT (which operates under the Department of Homeland Security) finally issued a Guidance, two whole days after Vulnerability Note VU#222929 was published warning of another serious vulnerability in all versions of IE — already being exploited in the wild.
The delay in issuing the guidance is as disturbing as its tepid substance. That 2 day delay was a gift to Microsoft, but a disservice to the public that the government is actually paid to protect. Further, while many media outlets are trumpeting that the US government is recommending people stop using IE, sadly the actual text of the release doesn’t even come close to saying that:
US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.
US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft’s recommendations, such as Windows XP users, may consider employing an alternate browser.
For more details, please see VU#222929.
The announcement is brief and refers admins to a Microsoft security advisory for recommendations. Both the CERT vulnerability note and the Microsoft advisory are calm and detached in their descriptions of the issue. From the CERT note:
Microsoft Internet Explorer contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system…
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
While CERT does refer readers to the Microsoft advisory for further advice, they do so after first making this blunt statement:
We are currently unaware of a practical solution to this problem.
In context those words sound like they were very carefully chosen, and have a constrained quality about them. They’re reminiscent of the kind of prepared text hostages are made to read aloud in front of the cameras. Given that, maybe faulting the media for “reading between the lines” and going all dramatic isn’t fair.
The mitigation steps recommended by Microsoft in its advisory are extensive. Among these are:
1. Deploy the Enhanced Mitigation Experience Toolkit 4.1.
2. Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones.
3. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
4. Add sites that you trust to the Internet Explorer Trusted sites zone.
5. Unregister VGX.DLL (VML viewer library).
6. Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode.
The above actions, especially blocking Active Scripting and Active X Controls, will basically remove most of the proprietary features that Microsoft has used over the years to promote customer and third-party vendor lock-in, as well as a bunch of other useful stuff. There’s a delicious irony in that. Blowback may not only be a principle of intel operations, after all. It could also apply to business practices that ultimately have unintended negative consequences to customers and partners.