Following the September 16 discovery of a zero-day exploit in Microsoft’s Internet Explorer web browser, the company has quickly released a patch to fix the vulnerability.
The zero-day exploit, which affects IE versions 6,7,8 and 9, allows hackers to seize direct control of a victim’s computer. The Internet security flaw prompted calls from industry experts and even the German government to stop using the browser brand until it was fixed, according to InformationWeek. Given the widespread use of Internet Explorer, security firm Rapid7 claimed as many as one-third of worldwide Internet users could have been vulnerable to attack.
Microsoft announced a workaround on September 20, and the patch went live via Windows Update on September 21. Yunsun Wee, director of Microsoft's Trustworthy Computing Group, announced the resolution patch and downplayed the threat, noting “the vast majority of people are not impacted by this issue.”
Handling the zero-day threat
While Microsoft was insistent on the limited number of actual attacks targeting the zero-day vulnerability, it responded rapidly to the problem which has become such a concern among IT professionals. Some, like cloud security expert Andrew Storm, applauded Microsoft’s quick response but agreed with the company that the scope of the threat was minor.
"There's been a lot of discussion, but it hasn't panned out to be an Internet pandemic,” Storm told InformationWeek.
Others found the effects to be more widespread.
"I've found several targeted attacks going on that use that zero-day,” Jaime Blasco, manager of AlienVault Labs, told Dark Reading. “If I'm able to find them, it is obvious there will be probably dozens of other instances out there that we are not able to identify. The instances I've found are being use to target specific sectors including (Department of) Defense contractors, industrial companies, supply chain companies…”
Blasco also said he had already encountered more than 10 versions of the exploit in the wild, spread across different servers and targeting a variety of users. Despite Microsoft’s patch, the data security risk could continue.
"Once [the exploit] starts getting into the wild, other groups get hold of it and turn it to their own nefarious means,” Ryan Eldridge, co-founder of computer repair company Nerds on Call, told InformationWeek.
Microsoft’s ongoing IE struggles
News of the zero-day exploit comes in the wake of a separate security gaffe surrounding the release of Microsoft’s IE 10 for Windows 8. The updated browser integrates Adobe’s Flash Player rather than using a plug-in, a move designed to protect users who are not always diligent in their updating. However, following a series of Adobe patches, Microsoft announced it would not fix the same vulnerabilities until Windows 8 shipped on October 26.
After coming under fire, Microsoft reversed the decision. The company continues to face questions about Internet security, but, according to experts, much of the criticism is undeservedly harsh. By doubling resources for testing and bundling Flash updates with the new browser, Microsoft’s may display stronger security in the long run. Much of the reason it remains a target is because its market share is so large – a reality created in part by Microsoft’s security support, experts said.
"People calling for users to stop using Internet Explorer are missing the point,” Anup Ghosh, an endpoint security executive, told Dark Reading. “IE is not materially worse security-wise than the other major browsers. Its market share is what drives production of exploits – switching from IE to other browsers will only shift malware writers to other browsers.”
Security News from SimplySecurity.com by Trend Micro