Researchers: Microsoft will pull trigger on emergency IE patch
Uptick in attacks, bypasses of recommended workarounds will force Microsoft to fix flaw criminals already using to hijack Windows PCs
Computerworld - Microsoft will issue an emergency update to patch a vulnerability in Internet Explorer (IE) in the next two weeks to fix a flaw criminals have been using for more than a month, researchers said Tuesday.
The company will move on the IE6, IE7 and IE8 bug before the next regularly-scheduled Patch Tuesday because of increasing attacks and proof that temporary workarounds can be circumvented.
"I wouldn't be surprised if they go 'out-of-band,'" said Andrew Storms, director of security operations at nCircle Security, using the term for an emergency update. "They won't want to wait for five weeks, and there's enough pressure on them now to work on an out-of-band."
The pressure Storms referred to includes reports that additional websites have been spotted serving up "drive-by" attacks against older versions of IE, as well as claims from researchers that both the "Fixit" tool Microsoft deployed last week and a long-available advanced anti-exploit tool can be sidestepped.
When Microsoft acknowledged the IE zero-day vulnerability Dec. 29, several security firms said that the website of the Council on Foreign Relations (CFR), a notable U.S. foreign policy think tank, was hosting attack code targeting IE8. Since then, other domains have been found conducting similar drive-bys, including one maintained by an Iranian oil company.
In lieu of a patch, Microsoft issued one of its automated "Fixit" tools to block attacks, and also recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), a separate anti-exploit utility.
But according to Exodus Intelligence, a company composed of several former researchers with HP TippingPoint and its bug-bounty program, both workarounds can be outflanked.
A Twitter exchange between Aaron Portnoy of Exodus and Jonathan Ness, a security engineer at Microsoft, revealed that the Fixit bypass was likely legitimate. "We think you are probably right," Ness tweeted yesterday.
"For the record ... EMET can also be bypassed to exploit CVE-2012-4792," said Exodus on its Twitter feed on Tuesday, using the IE bug's Common Vulnerabilities and Exposure's identifier.
Microsoft's next Patch Tuesday is Feb. 19, five weeks away. But Microsoft won't wait, said Jason Miller, VMware's manager of research and development, in a Tuesday interview. "They will go out of band on this," Miller said. "I think they'll [have a patch] as soon as next week, and no later than two weeks."
Beyond the upswing in attacks and Exodus Intelligence's finding, said Miller, another factor in play is that while Microsoft has urged customers to upgrade to IE9 or IE10 if possible -- neither of those newer editions contain the vulnerability -- Windows XP users can go no further than IE8, the 2009 edition that is the last in the line for the 11-year-old OS.
"Because XP can't get to IE9, I think Microsoft will go out of band," Miller said.
Emergency updates have become rare for Microsoft. The company has issued only two since September 2010.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts