IE zero-day flaw shows kinks in Microsoft patching

The speed at which cybercriminals exploited an Internet Explorer vulnerability discovered in mid-February and finally patched Tuesday demonstrates the snags in Microsoft's security update system.

The critical vulnerability in IE 10, which would enable an attacker to run code remotely on a Windows PC, was first announced Feb. 13 after security researchers reported finding an exploit in the Web site of the French Aerospace Industries Association. The group has more than 300 members.

Roughly a week after the discovery, Microsoft released a Fix It module that plugged the hole temporarily until a permanent patch was released.

"Unfortunately, not many people are aware of these modules and they do not get installed widely," Wolfgang Kandek, chief technology officer for Qualys, told CSOonline.

Companies using IE 10 also had the option of upgrading to IE 11, which did not contain the same flaw. However, such upgrades can be major projects for many companies.

In the meantime, cybercriminals got started trying to exploit the vulnerability shortly after its existence became public. The exploit source code used in the initial attack was seen in other compromised sites, according to security vendor Websense.

Besides the Frence Aerospace site, exploits were found in the web sites of a Japanese travel company, a Taiwanese English school, the Chemistry Department of Hong Kong University, and the Veterans of Foreign Wars. The VFW site was hosted in Blue Springs, Mo.

The fast work of cybercriminals indicated that they were "looking to make a quick profit from the security hole," Websense said.

Security researchers generally praise Microsoft's patching system, which includes regular releases on the second Tuesday of every month and emergency fixes in between as needed. By comparison, Oracle releases updates quarterly and Cisco biannually.

"Microsoft is a patch delivery speed demon compared to these two," Tyler Reguly, manager of security research for Tripwire, said.

Nevertheless, some experts believe more needs to be done.

"Overall I believe we need to move to faster patching cycles, but I am aware that out-of-band patches cause significant disruption in organizations that are not prepared to deal with them," Kandek said.

One solution is for Microsoft to take IE, hackers' favorite target, out of the monthly cycle and release patches as vulnerabilities are discovered, similar to what the company is trying in the Windows App Store, Kandek said. Apps from the online store are updated as needed, as opposed to on a particular schedule.

However, more traditional IT departments could have difficulty trying to stay up with a faster release system, Kandek said.

In the meantime, companies have options for protecting themselves against sudden publication of previously unknown vulnerabilities.

Alex Watson, director of security research at Websense, suggests segmenting network assets, so PCs used on the Web are not connected to key information repositories.

Reguly recommends limited user permissions, application whitelisting and exploit prevention software, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Companies also should consider having a patch process that includes evaluating the impact of unexpectedly disclosed vulnerabilities. This will provide the opportunity to ignore flaws that do not affect a company or to hustle to deploy emergency workarounds for those that do, Russ Ernst, director of product management for Lumension, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CiscoLumensionMicrosoftOracleQualysToolkitTripwireWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place