More on Explorer vulnerability



Among other things… Sans has lowered the infocon to green, NOT that the threat is diminished, but there have been no new developments with regards to the announcement yesterday of a major Internet Explorer security vulnerability. Sans recommends browsing the web with firefox (with the noscript extension, so you can enable/disable javascript where you wish). There has not yet been evidence of an active attempt at exploiting the vulnerability, but the proof of concept code could be relatively easily changed.


The Security Fix has more on the issue this morning as well. It’s worth noting that more than half of the visitors of SecurityFix are using Internet Explorer, about 50% of users at SANS and 49% here, (more like ~85% on my non-tech related sites). So, there are a WIDE swath of viewers that ARE CURRENTLY VULNERABLE…

On the Main page at the SANS incidents.org page, there is a bit of text just above the “handlers diary entries” that depending on your browser will show…

Over the last hour, 47 % of the visitors to this site were vulnerable to the Internet Explorer 0-day exploit. (result based on browser version and javascript enabled)
You are considered not vulnerable

Or something like the image below at the SecurityFix..

Sans javascript detection
(On the incidents.org page, you’ll need to look for the pink rectangle and read the text right underneath. I missed it as I was browsing the site earlier.)

–udpate 12:34am EST 11/23/05–

Looks like the noscript plugin for firefox has gotten enough publicity to push it to the #2 spot in popular extensions. There is still no patch, either disable javascript in Explorer, or browse with Firefox/Opera instead. (Many recommend Firefox with the noscript extension as one of the safest ways to browse.)

–update 1:01 AM EST 11/23/05–

The Department of Homeland Security’s CERT advisory on the problem, left out a basic bit of advice the suggestion to use an alternative web browser. Brian, at the securityfix, reminds us of a problem in 2004 in which CERT suggested the using of alternative browsers (CERT didn’t specify any particular alternatives). In Brian’s article, he added something along the lines of “such as …. Firefox, Opera or Netscape”, which led to voicemail complaints from Microsoft, and their PR folks AND CERT that he was putting words into their mouths.

Since then, he notes, he cannot cite ONE instance of an advisory from US-CERT that has recommended an alternative browser until there is a patch, in all cases the recommendations have been disabling the offending component.. Now, the javascript disabling is relatively easy to do. Suggesting people set the kill bit in the registry on a specific ActiveX component is a silly way to suggest average users deal with a security problem. (Just an example, not the current issue, just trying to point out the extremes.) It does almost seem as though they’re tap-dancing around the big elephant in the room… it would be nice to be re-assured that they are serious about advising people on the easiest way to secure their PC’s as opposed to the easiest way to continue browsing with a Microsoft product.

He does note an interesting stat in pointing out that most people likely get their computer security advice from somewhere other than US-CERT…

(Web site monitoring firm Netcraft’s anti-phishing toolbar ranks US-CERT.gov as the 220,589th most popular site on the Web)

He recommends (as do many others) installing an alternative browser like Opera, Firefox, or Netscape and using that to browse at least until this vulnerability is patched.

If you just can’t tear yourself away from IE, he gives the following walkthrough on disabling javascript…

For those users who positively must continue using IE for everyday Web browsing, disabling scripting in the browser should protect you from this flaw. Here’s how you do that:
1) From IE’s top menu, go to “Tools.”
2) Choose “Internet Options.”
3) Click on the tab marked “Security,” then the button marked “Custom Level.”
4) Change the buttons under the “Scripting” heading from “Enable” to “Prompt” or “Disable.”

He notes this can make browsing a frustrating experience, the WashingtonPost.com page gives 6 popups for various script elements. So many sites use Javascript for ads, user tracking, even menuing it could quickly get to be a great pain… Unfortunately the prompts come before any part of the page loads, so you have to go ahead with the judgement call. (what if you mistyped the URL and got a bogus site?)

For the above reason, he recommends Firefox with the noscripts extension as has already been discussed above. For most sites Firefox provides a good browsing experience (I’ve run across a few still that are IE only). Some of the feature improvements though in firefox (and extensions) may bring you to the point of not returning to IE. (Yes you can import all your bookmarks, the first time it loads it asks if you want to do that.) The nice thing about the noscripts extension is you can load the page, the extension sits in the status bar and scripts can be enabled after seeing the content of the page. (Much better to have info to make a judgement call on, eh?)

Further… I’ve heard reports that firefox under linux crashes on the exploit code. I haven’t had a chance to test that out, likely will momentarily. (Having the noscript extension would prevent that.) (It does indeed seem to have that effect for me as well.)

   Send article as PDF   

Similar Posts