On Saturday night, Microsoft reported a new security flaw in Internet Explorer (versions 6 through 11) which when exploited can allow an attacker to have access to anything that the user account accessing the website has access to.
As of now, the flaw is unpatched. Microsoft has not yet announced if they are going to release a patch for this exploit outside of their normal patch release cycle.
Since there is no fix for this issue as of now (we will provide an update here when this changes) there is nothing that can be done to ‘fix’ the issue yet. Microsoft has provided a number of workarounds, however none of those workarounds come without consequences – all will limit functionality in one way or another. Because of the ‘side effects’ of the suggested workarounds, we have elected to ONLY implement those fixes for customers that specifically request them at this time. If you are an itSynergy customer and would like to talk in more detail about the workarounds and associated side effects, please let us know.
In the absence of implementing those workarounds, there are several options to keep yourself safe:
1. The VAST majority of users run as a ‘local administrator’ on their primary workstation. This potentially increases the damage a bad guy can do that has taken advantage of this exploit. Often the additional rights are required for a poorly written application, however you may want to consider whether you want to temporarily remove them until a fix is released.
2. Some of our users that have administrative capabilities over their entire system use a user account that is a member of their network’s ‘domain administrators’ group (virtually the highest access level possible). You should NEVER use an administrative account in daily work, and should NOT be surfing the Internet while logged in as an administrator EVER.
3. Only Internet Explorer is affected by this flaw. Using an alternative browser such as FireFox or Chrome will avoid the vulnerability until a fix is released.
4. Staying away from websites you don’t know and trust is ALWAYS a good idea, but extra vigilance in this area is especially important now. And as is ALWAYS the case, don’t click links in emails, chat windows, etc. as it is often hard to verify the legitimacy of those links. Instead just type the address you want into your browser.
For customers on any of our monthly plans, the MOMENT a fix is released, we will roll it out to all of your systems. We will also provide an update in our blog.
One other interesting item of note out of all of this…
Several of the affected versions of Internet Explorer are versions that run on Windows XP. As has been widely publicized, Microsoft no longer supports Windows XP and has said they will not issue any more patches for Windows XP. As we have discussed getting rid of XP with our customers over the past several months, a big part of that discussion has been identifying the risks associated with keeping XP computers (in any quantity) in your environment. Our standard response on that topic was that XP wouldn’t stop working, however we had no way of knowing if an exploit would be found in a day, a week, or a year and so we didn’t know how long XP would be a secure operating system. Well, assuming Microsoft doesn’t blink and issue a patch for XP on this issue, we now have that answer – XP is now an extremely high risk to have in your environment.