Skip to main content

New Internet Explorer Vulnerability Sparks Warnings, Spotlights End User Security Risks

by Sue Poremba
Contributing Writer,

If you use IE 6-9 on either XP, Vista, or Windows 7, your computer may be at risk, thanks to a zero-day vulnerability discovered earlier this week.

According to Marc Maiffret, CTO of BeyondTrust, the exploit allows an attacker to essentially compromise and run code on your computer under the same context of the user of the computer itself. This means that an attacker can access a victims files or even completely backdoor the system for complete access.

"This vulnerability is related to the Java exploit from a few weeks ago because the original researcher whom discovered this vulnerability actually found it on one of the attacker servers used in the Java zero-day attacks," Maiffret said in an email. "It looks like the same attackers behind the Java attacks were a bit sloppy in leaving this zeroday exposed on their server for someone to find."

The word of the vulnerability comes at the same time the new IE-based web client for Microsoft Dynamics GP is being tested in beta. In addition, NAV 2013 will be supported by IE9. But Maiffret said he doesn't think this particular vulnerability will have much impact on the new releases. Instead, he said, it is important to know how dependent the software is on the IE browser. It is always best to have a back-up plan if another flaw is found in IE and you have to consider another browser in order to keep data safe.

The new vulnerability has caused enough concern that German officials warned the country's citizens to stop using IE all together and move to another browser. It was a move that the vast majority of security experts agreed with. However, Maiffret said that asking your employees to suddenly - and temporarily switch - to another browser isn't the answer to the problem. 

"In general though you do not want your security to be that of which you ping pong between one software product or another as they all have issues on any given timeline," he said. "Another important thing to know is that the exploits for later versions of Windows, such as Windows 7, require Java to also be installed. This is unrelated to the previous Java vulnerability but rather that Java makes exploitation of this new Internet Explorer vulnerability much easier for attackers. So another good mitigation is to make sure you remove Java where you do not need it or restrict Java access to only specific websites that your company trusts."

However, Bill Morrow, CEO & Executive Chairman with Quarri Technologies, pointed out that this latest vulnerability simply another example of why endpoints today continue to be afterthoughts in the security landscape.

"While Microsoft works on a patch for this new bug, industry experts are suggesting that users install new software and/or reconfigure network browser settings. While the right idea in theory, in reality there is a high probability that many end users wouldn't perform the necessary mitigation or configuration steps to stop the attack," Morrow said.

Microsoft did pounce on the vulnerability rather quickly, at first providing a stop-gap fix until a permanent patch could be released. The new security update will be available on Friday, September 21 at 10 a.m. PDT, rather than waiting for the traditional Patch Tuesday updates to come October 9. (This is not to say Microsoft is perfect about these patches, however. The patch to correct a problem with Adobe Flash embedded into IE10 has yet to come, so if you are using IE10 or Windows 8, you have your own vulnerability concerns to worry about.)

It is important to point out that, according to Morrow, this latest vulnerability shows enterprise web applications are at the mercy of the end user's skills at being a security administrator.

"To minimize their exposure to malware," Morrow said, "it is critical for organizations to provide and enforce the use of a secure, hardened browser session to protect their most sensitive information and prevent unauthorized use and replication of confidential data."

FREE Membership Required to View Full Content:

Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

About Sue Poremba
More about Sue Poremba