This is the second time in 18 months that Microsoft has gone out of band to release an emergency patch (last time being October for the RPC issue) for the Internet Explorer, which is being actively exploited right now. We have seen Proof of Concept (POC) code for the exploit available since December 11th. With less than two weeks away from the holiday and given the wide use of IE within business enterprises and severity of the vulnerability, we recommend IT professionals patch this vulnerability as soon as business conditions permit. There were over 100 websites on the 11th hosting some type of malware associated with this vulnerability. Today, that has grown to thousands of sites now hosting the malware.
Microsoft felt this issue warranted an out of band patch due to the underlying exploit being actively used in the wild and damage was mounting. I have seen reports of up to 6000 compromised web sites hosting web pages that take advantage of the vulnerability. MS played down the issue on Patch Tuesday but by the end of the week we in the security community had proven in our own labs that it was not just an IE 7 issue and in fact it impacted multiple versions of IE even Beta version 8 across multiple MS operating systems.
A recent study titled “Understanding the Web browser Threat: Examination of Vulnerable Online Web browser Populations and the Insecurity Iceberg” found that 57% of IE users were not running the most current version that’s patched. This will be a wake up call to IT professionals to make sure to patch their browsers. This speaks volumes to the underlying problem with web-borne malware. We as a community are constantly trying to outsmart the bad guys on their delivery method. However, it is not necessarily a delivery / obfuscation issue – the underlying issue is a failure to patch, including their browsers. A recent Verizon study showed that over 70% the exploits used in web-borne malware had vendor patches available for up to a year and less then 1% had patches available within a 30 day window. The web-borne malware issue is a patch management issue and can be simply fixed by patching in a timely fashion according to industry best practices.
For more information, check out the recent SC Magazine article: http://www.scmagazineus.com/Emergency-Internet-Explorer-patch-issued/article/123029/.
[...] your systems is good, as is learning to be wary of unexpected links and such; and having a way to automatically keep your system up-to-date is good, as is realizing this is an enabler, not a hindrance, to our daily work and life. So, in [...]