Pages

Wednesday, December 17, 2008

New Internet Explorer Security Exploit

When I was a kid, I remember reading a story about a chicken that got bonked on the head by a falling acorn and she thought that the sky was falling. Chicken Little then went around to every animal she could find proclaiming that “the sky was falling”. The result was a small panic spreading throughout the farm, until one of them looked up and saw that the sky was still exactly where it started that morning.

I’d like to say that this report is a “Chicken Little” event, but it has just the right amount of paranoia that says, “maybe, this time, the sky is falling”. I’m talking about the new flaw found in Internet Explorer.

Originally thought to be confined to IE7, it now seems to encompass everything from IE5 to the latest beta release of IE8. This exploit also appears to have been bought, sold and employed since about October.

If you are into the technical details from Microsoft Technet or looking for sites to avoid, you can find them here.

If you are running IE7 MS suggest that you turn on Data Execution Prevention. What this essentially does is marks certain memory locations as protected (as in locations that only the OS should have access to) and if a piece of code attempts to write to those locations (malicious or otherwise) DEP will shut the program down and send you an alert.

To turn on DEP in your Windows XP system, open your control panel and click on the “System” icon. The "System Properties" window will come up.

Click on the "Advance" tab, go down to the "Performance" section and click on the “Settings” button. This will bring up the "Performance Options".

Under the "Performance Options" window, click the "Data Execution" tab. Make sure to select the radio button next to “Turn on DEP for all programs and services except those I select”.

Then hit the “Apply” button. Your system will request a reboot before the changes take effect.

While this may be a stopgap measure, I don’t think it is a true solution. If it were, we wouldn’t see the level of concern from the security experts or even Microsoft.

Current recommendation is to use one of the other browsers out there (Firefox, Chrome, or Safari) until MS issues a suitable patch.

Current projected assumption, based on Microsoft’s past patch schedule puts this at Jan 13, 2009.

Reference articles are here from washingtonpost.com:

Microsoft Investigating Reports of New IE7 Exploit

Microsoft: Big Security Hole in All IE Versions

Article from Chris Null on Yahoo

No comments: