Internet Explorer Bug: Steps to TakeExperts Offer Remediation Tips, Details on Vulnerability
Faced with a vulnerability that exposes Microsoft's Internet Explorer Web browser to a zero-day exploit involved in recent targeted attacks, CISOs need to take prompt action, security specialists say. That includes communicating the vulnerability to end users, using alternate Web browsers and developing an incident management strategy.
Meanwhile, organizations must be prepared to deal with other online vulnerabilities as they emerge, warns Alan Brill, senior managing director at security advisory firm Kroll Solutions. "Organizations that don't recognize that - and treat each incident as a separate crisis - are likely to expend more effort going through the incidents than those that develop an incident management strategy," he says.
On April 28, the Department of Homeland Security's U.S. Computer Emergency Response Team urged online users to avoid using Internet Explorer, versions 6 through 11 (see: DHS Says Stop Using Internet Explorer). It warned that the browser vulnerability "could lead to the complete compromise of an affected system."
The exploit of the vulnerability by hackers was first identified by security firm FireEye, which outlined the vulnerability in an April 26 blog post. The company says the exploit is significant because the vulnerable browsers "represent about a quarter of the total browser market."
Although Microsoft says it's working on a patch for the browser vulnerability, the company is no longer issuing any patches to users of its Windows XP operating system after recently dropping support for it (see: End of XP Support: Are Banks Really Ready?).
Because Internet Explorer is widely used, the vulnerability "is a big deal," says Steve Durbin, global vice president at the Information Security Forum, an independent membership organization that offers information risk management research and mitigation strategies. "Internet Explorer has a significant share of the market, so that's a huge number of devices that are now at risk until Microsoft is able to issue a fix."
The vulnerability in Internet Explorer versions 6 through 11 could allow hackers to gain control of a user's computer after it's been infected with malware, Durbin explains.
"The risk is that you could become more vulnerable to a malware infection that would bypass your anti-malware defenses, allowing hackers and cybercriminals to assume control over your device and use it as if they were the owner," Durbin says. "In short, you lose control over your ability to securely operate your device in cyberspace."
Anton Chuvakin, a research vice president at the consultancy Gartner, says that the vulnerability allows for a malicious website to execute code on the user's vulnerable Web browser. "Injecting malware is one route, but they can also make system changes," he says. "If the user runs an administrative account, more effects are possible."
The vulnerability is being actively exploited, Chuvakin says. "It is not a minor worry, but it is certainly not another Heartbleed," he says. "Major Internet Explorer vulnerabilities have been common in the past, and this one does seem to make Web-borne malware injection pretty easy."
The Internet Explorer vulnerability is a "tremendous risk," says Tom Kellermann, managing director for cyberprotection at Alvarez and Marsal, a business management firm. "It is akin to leaving your keys in the ignition in a bad neighborhood. It is imperative that users move to other browsers until a patch has been released. Passwords should also be immediately changed and anti-virus programs run."
Mitigating the Risks
Organizations in all sectors need to develop a comprehensive incident management strategy, developing methods that work for their particular structure, to be ready for the next crisis, "be it mini or mega," Kroll's Brill says.
"Each crisis requires analysis," he says. That includes assessing how, if at all, the organization was affected and determining the steps that need to be taken to respond to the threat. "Having a pre-defined process, working group, notification procedures, and, in some cases, pre-defined plans for various types of crises is incredibly helpful," he stresses
To deal with the Explorer vulnerability, Durbin advises organizations to immediately disable Adobe Flash.
"The attack is dependent upon Adobe Flash working, so if you disable Adobe Flash within Internet Explorer you should prevent the attack from working, and by so doing, manage your vulnerability," he says.
Organizations also need to carefully monitor their networks and defenses and review traffic, he adds. And they need to inform all users about the vulnerability "so they can take the necessary steps on their corporate and personal devices to manage their risk," he says. "Managing your corporate resources alone won't help. If you have a bring-your-own-device policy, your employees are hacked and they don't know about it."
Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest, says his organization worked to understand the level of exposure it faced and the remediation steps it needed to apply. "We have a desktop team, an automated update program and a security team that won't rest," he says.
Applying the Patch
Of course, organizations should apply the Internet Explorer patch from Microsoft as soon as it's available.
Regarding the patch, Microsoft says once it's completed its investigation, it will take appropriate action to protect its customers, "which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."
But until then, Gartner's Chuvakin notes that "Microsoft also recommends its Enhanced Mitigation Experience Toolkit that seems to break the exploitation."
CISOs need to educate senior leaders that all Web browsers eventually will be hacked, Chuvakin says. "[Browsers] are complex pieces of software, and this, sadly, means that they will remain vulnerable," he says. "The attackers will break through browser security and, thus, additional layers of security monitoring need to be in place."