IE zero-day flaw shows kinks in Microsoft patching

Vulnerability in Internet Explorer 10 was only addressed with temporary Fix It module before permanent patch was issued

The speed at which cybercriminals exploited an Internet Explorer vulnerability discovered in mid-February and finally patched Tuesday demonstrates the snags in Microsoft's security update system.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

The critical vulnerability in IE 10, which would enable an attacker to run code remotely on a Windows PC, was first announced Feb. 13 after security researchers reported finding an exploit in the Web site of the French Aerospace Industries Association. The group has more than 300 members.

Roughly a week after the discovery, Microsoft released a Fix It module that plugged the hole temporarily until a permanent patch was released.

"Unfortunately, not many people are aware of these modules and they do not get installed widely," Wolfgang Kandek, chief technology officer for Qualys, told CSOonline.

Companies using IE 10 also had the option of upgrading to IE 11, which did not contain the same flaw. However, such upgrades can be major projects for many companies.

In the meantime, cybercriminals got started trying to exploit the vulnerability shortly after its existence became public. The exploit source code used in the initial attack was seen in other compromised sites, according to security vendor Websense.

Besides the Frence Aerospace site, exploits were found in the web sites of a Japanese travel company, a Taiwanese English school, the Chemistry Department of Hong Kong University, and the Veterans of Foreign Wars. The VFW site was hosted in Blue Springs, Mo.

The fast work of cybercriminals indicated that they were "looking to make a quick profit from the security hole," Websense said.

Security researchers generally praise Microsoft's patching system, which includes regular releases on the second Tuesday of every month and emergency fixes in between as needed. By comparison, Oracle releases updates quarterly and Cisco biannually.

"Microsoft is a patch delivery speed demon compared to these two," Tyler Reguly, manager of security research for Tripwire, said.

Nevertheless, some experts believe more needs to be done.

"Overall I believe we need to move to faster patching cycles, but I am aware that out-of-band patches cause significant disruption in organizations that are not prepared to deal with them," Kandek said.

One solution is for Microsoft to take IE, hackers' favorite target, out of the monthly cycle and release patches as vulnerabilities are discovered, similar to what the company is trying in the Windows App Store, Kandek said. Apps from the online store are updated as needed, as opposed to on a particular schedule.

However, more traditional IT departments could have difficulty trying to stay up with a faster release system, Kandek said.

[IE zero-day exploit being used in widespread attacks]

In the meantime, companies have options for protecting themselves against sudden publication of previously unknown vulnerabilities.

Alex Watson, director of security research at Websense, suggests segmenting network assets, so PCs used on the Web are not connected to key information repositories.

Reguly recommends limited user permissions, application whitelisting and exploit prevention software, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Companies also should consider having a patch process that includes evaluating the impact of unexpectedly disclosed vulnerabilities. This will provide the opportunity to ignore flaws that do not affect a company or to hustle to deploy emergency workarounds for those that do, Russ Ernst, director of product management for Lumension, said.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)