by Dave Kennedy and Russ Cooper

I just checked, and so far not one member of the Verizon Business RISK Team has moved into their apocalyptic redoubts over the latest vulnerability in Internet Explorer (IE).  Our assessment is that this latest vulnerability isn’t very different than many of the IE vulnerabilities we’ve seen in the past.  IE has historically been a popular target for criminals, and we don’t doubt some are using/will use this latest vulnerability to take over users’ systems.  We assess the threat  volume as small, with locations isolated, and believe that several mitigations are available to reduce overall risk.

With the release later today of an out-of-cycle Microsoft Security Bulletin (likely MS08-078), Microsoft has very quickly addressed the vulnerability. There is no reason, however, to view deployment of this patch as being any more urgent than past IE patches. This is not the first time attacks against IE have been present at the time of a patch.

This activity is the result of the discovery of an use-after-free vulnerability in mshtml.dll. Vulnerabilities in mshtml.dll can be exploited via IE as well as other applications that rely on IE’s rendering engine. The vulnerability allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements.  XML documents may not be the exclusive path to successful exploitation of this vulnerability.

The security community just experienced an out-of-cycle MS bulletin, and in spite of dire scenarios of worms taking over the Internet, we have yet to see significant threat or losses due to that vulnerability.  Lost productivity for IT and IS staff scrambling needlessly we have seen, but successful attacks? Not so much.  During nine days in December 2005 and January 2006, the security community experienced another dire vulnerability and out-of cycle MS bulletin.  On December 27, 2005 a post to the bugtraq mailing list revealed a vulnerability in metafile handling by the graphics rendering engine in Windows.  Microsoft issued a Security Advisory on December 28th and an out-of-cycle Security Bulletin on January 5, 2006. A metasploit module became available on December 31, 2005 and third-party patches began appearing the same day.  Limited and targeted attacks were reported, but a worm exploiting the vulnerability did not appear for eight months.

Microsoft reports “limited attacks” using this vulnerability.  Currently, reports of attacks center on the Chinese Massively Multi-user Online Role Playing Game (MMORPG) space.  We’ve been aware of aggressive use of malcode in this community for quite some time and rarely does it spill out into enterprise IT space in significant volume. Further, access to such communities from enterprise assets should be restricted by policy, and enforced with access controls. Availability of exploit code and a metasploit module for today’s data-binding vulnerability are remarkably similar to events in 2005.

Existing mitigations to this risk include (see linked advisory for details):

Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Enable DEP for Internet Explorer 7

Use ACL to disable OLEDB32.DLL

Unregister OLEDB32.DLL

Disable Data Binding support in Internet Explorer 8

Use IDS and IPS to detect and block attacks using this vulnerability.

The IP addresses of known hostile sites are available and, at this time, limited in size.  Blocking by-IP can be effective but degenerates into a game of wack-a-mole.

Anti-virus, anti-spam, and content filtering solutions each contribute to preventing and detecting attacks using this vulnerability although no one is a perfect solution to the problem.

Technically, using another browser and disabling active scripting in IE are both mitigations but our assessment is they are too disruptive and costly in response to any single vulnerability.

So with a limited threat, multiple mitigations and widespread reconnaissance and alerting  among the security community if the threat does not escalate, we’re going to finish our holiday shopping instead of occupying the caves in the Bitterroot Mountains.

Update (12/19/08): Microsoft published their security bulletin, MS08-078 and revised the Security Advisory.  Not all of the mitigations recommended by the advisory are undone by applying the patch from the security bulletin, and the advisory no longer lists the specifics for undoing the workarounds.  See KB Article 961051for those details.

Update #2 (12/23/08): Some technical media headlines imply the patch is ineffective and malicious Microsoft Word DOC files “bypass” the patch.  This is hype.  The basis for the tales, is an accurate article by Rahul Mohandas in McAfee’s Avert Labs Blog. Unpatched instances of Windows are vulnerable to the attack McAfee describes.  That said, the threat prevalence remains very low and our recommendation to patch within 30 days has not changed.

Tags: Information Security, Microsoft Security Bulletins, MS08-078, risk, Vulnerabilities

This entry was posted on Wednesday, December 17th, 2008 at 6:40 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.