Updates

• On September 21st, Microsoft released Security Bulletin MS12-063 and its associated patch for Internet Explorer via Windows Update.
• On September 19th, Microsoft announced a patch is expected to be delivered Friday September 21st through normal Windows Update distribution channels.
• On September 19th, Microsoft released a "Fix-It" patch to mitigate the vulnerability in most versions of Internet Explorer until a patch is released. Workarounds section of this document updated to include the new information.

Background

On September 16, 2012, an exploit was publically disclosed by a security researcher while investigating a compromised system. Microsoft released Security Advisory 2757760 on the 17th acknowledging an unpatched vulnerability in multiple versions of Internet Explorer.  Also on September 17, 2012, the exploit was added to the popular Metasploit framework that is used by both penetration testers and attackers.

Impact

Browsing the web with a vulnerable version of Internet Explorer means that simply visiting a malicious website is enough for an attacker to compromise your computer. This is known as a "drive-by download". While "safe browsing" to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability and prevent exploitation. For example, a site you consider to be "safe" may contain advertisements or other content provided by third-parties.

An attacker that successfully exploits this vulnerability could gain the same rights on the computer as the logged in user. Using a low privilege account, instead of an account with administrative rights, may limit the scope of the compromise.

Please see "UISO Recommendations" and "Workarounds" below for further steps that must be taken.

Platforms Affected

A full list of affected and non-affected software is available in Security Advisory 2757760. Affected software includes the following versions of Internet Explorer on Windows platforms:

• Internet Explorer 6
• Internet Explorer 7
• Internet Explorer 8
• Internet Explorer 9

Note:  Windows Sever 2003, Windows Server 2008, and Windows Server 2008 R2 can run Internet Explorer in "Enhanced Security Configuration" mode which may mitigate this vulnerability.

Local Observations

Using network sensors, the University Information Security Office (UISO) monitors the network for hosts being exploited by drive-by downloads, including known versions of this Internet Explorer exploit. UISO does attempt to block this activity and notify affected users when it is observed it on the network.

Microsoft and others have reported this exploit has been used successfully in targeted attacks. In the UISO's opinion, it is likely attacks based on this vulnerability will increase in the future due to the public disclosure of the exploit, the wide range of systems affected, lack of an available patch, and the quick inclusion in the Metasploit framework.

UISO Recommendations

• As of September 21st, a patch is available and affected users are encouraged to install it through Windows Update as soon as possible.
• Consider using an alternative web browser, such as Firefox or Chrome.
• Disable Java - Consider disabling or uninstalling Java if it is not needed. Some known and published versions of this exploit require Java to be present on the machine. This should not be considered a workaround for this specific vulnerability, but rather a precautionary measure.
• Verify your software is up to date by installing Secunia Personal Software Inspector on hosts running the Windows operating system and patching any of the vulnerable software it finds.

Workarounds

• As of September 21st, a patch is available and affected users are encouraged to install it through Windows Update as soon as possible.
• Consider using an alternative web browser, such as Firefox or Chrome.
• Install the Microsoft "Fix-It" workaround until a full patch is available. Note: On 64-bit versions of Windows this will only mitigate the vulnerability in the 32-bit version of Internet Explorer.
• Install the Microsoft Enhanced Mitigation Experience Toolkit (EMET) and configure it to protect Internet Explorer - Step-by-step instructions are available in the "Workarounds" section of Security Advisory 2757760. While Microsoft recommends this as an effective workaround, other sources indicate it may not be effective in all cases.
• Disable ActiveX Controls and Active Scripting or configure Internet Explorer to prompt to run scripts - While this workaround may be effective, many Internet sites require scripting and will not function properly with it disabled. Users selecting this workaround would be required to manage which sites are allowed to run scripts. Details are available in the "Workarounds" section of Security Advisory 2757760.

Further Reading

• Microsoft Security Bulletin MS12-063
• Microsoft Security Advisory 2757760
• What is a drive-by download?<