Microsoft Planning IE Patch Following Google Attack

Microsoft plans to release an out-of-band patch to plug the zero-day security hole exploited recently in attacks on Google and other companies.

George Stathakopoulos, general manager of Microsoft’s Trustworthy Computing Security group, announced that Microsoft would offer a timeline for the patch on 20 Jan. The company’s move follows news that France and Germany are encouraging users to shun Internet Explorer for now in favor of other browsers.

In addition, researchers from Vupen Security reported on 19 Jan. that the company had developed exploit code that could circumvent the DEP (Data Execution Prevention) mechanism in IE 8, which so far is not known to have been targeted by attackers.

However, Vupen CEO Chaouki Bekrar said the Vupen exploit is not publicly available and was distributed exclusively to IPS (intrusion prevention system), IDS (intrusion detection system) and anti-virus vendors that are members of the Vupen In-Depth Vulnerability Analysis and Exploits Service.

“We used in-house and undisclosed methods to bypass permanent DEP and reliably execute arbitrary code,” Bekrar said. “We first used and improved this method a few weeks ago when we exploited another Internet Explorer 8 vulnerability.”

The best defense against the exploit is to disable JavaScript, Bekrar said.

In the past few days, France and Germany have advised their citizens to switch from IE to other browsers as they await a patch from Microsoft. Attack code for the vulnerability meanwhile continues to appear on the Internet, though so far it seems to have only been used successfully in targeted attacks focused on IE 6.

“The recommendations from France and Germany seem to be an overreaction to the actual risk,” opined Andrew Storms, director of security operations at nCircle. “In my opinion, this reaction should be considered in the context of the contentious and litigious relationship that many EU countries have with Microsoft in general. This is a perfect example of people looking at something that’s happening in the threat environment and generalising the threat from an emotional reaction instead of really quantifying risk that is specific to their business.”

For its part, Microsoft is still recommending that users upgrade to IE 8 as they wait for a patch.

“We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time,” Stathakopoulos wrote on the Microsoft Security Response Center blog.