Microsoft turns to creative tactic to block IE attacks

Security experts applaud Windows Application Compatibility Toolkit shim

Microsoft today turned to a new defensive measure to help users ward off ongoing attacks exploiting a known bug in Internet Explorer (IE).

As expected, the company also patched three vulnerabilities in Windows.

"The 'shim' for IE is the news today," said Andrew Storms, director of security operations at nCircle Security. "We had not expected a patch for IE today, but we had not expected the shim either."

Shim is a term used to describe an application compatibility workaround. Storms said it was appropriate to today's temporary fix because Microsoft used the Windows Application Compatibility Toolkit to modify IE so it's immune to attacks that leverage a bug in how the browser processes a CSS (Cascading Style Sheets) file.

"This is the first time that they've used the Application Compatibility Toolkit to mitigate a zero-day vulnerability," said Storms.

The tool, which has been part of Windows since XP's days, was designed to allow older applications, including those created for outdated versions of the OS, to run on newer editions of the operating system.

Microsoft's workaround used the Application Compatibility Toolkit to modify the core library of IE -- a DLL, or Dynamic-Link library, named "Mshtml.dll," that contains the rendering engine -- in memory each time IE runs. The modification prevents recursive loading of a CSS, which effectively stops the existing attacks.

"Microsoft's using the App Comp in an unexpected way," said Storms. "They've incarnated it to help mitigate a zero-day. They're going to use whatever is in their arsenal, that's the bottom line."

Other researchers also applauded the new tactic.

"That was creative," said Wolfgang Kandek, chief technology officer of Qualys, a California-based security risk and compliance management provider. "We like it because it gets the fix out earlier than a true patch."

Qualys today confirmed that after applying the Application Compatibility-based workaround, the current in-the-wild exploit fails to execute.

"One nice thing about the shim is that it doesn't have to be uninstalled prior to installing the patch, whenever that appears," said Storms.

Kandek expects that Microsoft will shut the IE hole on Feb. 8 as part of its usual monthly Patch Tuesday. However, Storms saw the shim's release as a good hint that Microsoft will ship an emergency, or "out-of-band," update for the browser before then.

"I think they have [a patch], but they aren't happy with the QA it's received, so the door is open for an out-of-band if their attack telemetry shows an increase in exploits," Storms said.

Microsoft first acknowledged the CSS bug in IE on Dec. 22, several weeks after French security firm Vupen had issued a bare-bones advisory that said all versions of IE, including 2009's IE8, were vulnerable to attack.

Since then, Microsoft has admitted that it's tracking active attacks exploiting the bug. It repeated that warning today, again saying that it was seeing only "limited attacks attempting to exploit this vulnerability."

That IE vulnerability is just one of several bugs in Microsoft's products that went unpatched today. Last week, the company acknowledged a serious flaw in Windows XP, Vista, Server 2003 and Server 2008, and also confirmed that it had seen reports that Chinese hackers were scouring the Web for information on another IE flaw.

The latter vulnerability had been reported to Microsoft last summer by Google security engineer Michal Zalewski. Microsoft and Zalewski have traded barbs over the timeline of his bug report, and subsequent release of a "fuzzer" tool that found the flaw.

Also last week, Microsoft made another new move by summarizing the bugs that had been reported but had not yet been unpatched.

In a post to the Security Research & Defense blog, Microsoft engineer Jonathan Ness spelled out the outstanding issues.

Storms applauded Ness' table. "That was pretty new for them, and a good move," said Storms. "Because many of these zero-days were reported over the holidays, there was quite a bit of confusion about what was what. It's to their credit that they are saying 'Here's everything that we know,' so we're all on the same page."

Users can download the IE shim from Microsoft's site. A link is included in a Security Research & Defense entry posted today.

Join the CSO newsletter!

Error: Please check your email address.

Tags cssMicrosoftsecurityWindowssoftwareMalware and Vulnerabilitiesoperating systemsInternet Explorer

More about Andrew Corporation (Australia)GoogleMicrosoftnCircleQualysToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts