Microsoft Security Advisory


If your company website includes Flash components, you may see a decrease in traffic in the coming days.  This is because Microsoft has no word yet on when a fix for a recently-discovered security flaw in Internet Explorer might be available.  The U.S. Department of Homeland security is advising Americans not to use the Internet Explorer Web browser until a fix is found for a serious security flaw that came to light over the weekend.

The bug was announced on Saturday by FireEye Research Labs, an Internet security software company based in Milpitas, California.  Microsoft, which makes Internet Explorer, had not posted any new news about the problem since Saturday. Microsoft says it is aware of only “limited, targeted attacks.” So far no large-scale problems have been reported.

“We are currently unaware of a practical solution to this problem,” Will Dormann at the CERT division of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, wrote on Monday.  It recommended that users and administrators “consider employing an alternative Web browser until an official update is available.”

Other nations, including the United Kingdom and Sweden, are making the same suggestion.

“Users should also consider using alternative browsers, such as Google Chrome and Mozilla Firefox and ensure that their antivirus software is current and regularly updated,” the United Kingdom’s National Computer Emergency Response Team said in its advisory.

The security flaw allows malicious hackers to get around security protections in the Windows operating system. They then can be infected when visiting a compromised website.  Because the hack uses a corrupted Adobe Flash file to attack the victim’s computer, users can avoid it by turning off Adobe Flash.

“The attack will not work without Adobe Flash,” FireEye said. “Disabling the Flash plugin within IE will prevent the exploit from functioning.”

The security problem has meant going in and disabling Adobe Flash on the computer networks of many of his clients, said Jerry Irvine, the chief information officer at Prescient Solutions, a Chicago-based IT company.

While not difficult to do, it has disrupted some companies that use Flash-based streaming video for communications. “It could be Webinars, it could be training programs,” Irvine said. “Things like WebEx.”

When a victim visits the tainted website using any of the Internet Explorer web browsers versions 6 through 11, the attackers are able to gain full user rights over the victim’s computer — and potentially all information on it.  The security flaw allows attackers to slip malicious code into an innocuous website, using a compromised Adobe Flash file.

While the bug affects all versions of Internet Explorer 6 through 11 it is currently targeting IE9 and IE10, FireEye stated. The attacks do not appear to be widespread at this time. Microsoft said it was “aware of limited, targeted attacks that attempt to exploit” the vulnerability.

These are called “watering-hole attacks,” said Satnam Narang, a threat researcher with computer security company Symantec in Mountain View, California.  Rather than directly reach out to a victim, the hackers inject their code into a “normal, everyday website” that the victim visits, he said. Code hidden on the site then infects their computers. “It’s called a watering-hole attack because if you’re a lion, you go to the watering hole because you know that’s where the animals go to drink.”

FireEye said the hackers exploiting the bug are calling their campaign “Operation Clandestine Fox.”

Microsoft confirmed Saturday that it is working to fix the code that allows Internet Explorer versions 6 through 11 to be exploited by the vulnerability. As of Monday morning, no fix had been posted.  While Microsoft is expected to issue a patch for the problem soon, there will be no patch for the millions people who still run Microsoft’s Windows XP operating system. The operating system was first released in 2001 and Microsoft officially stopped supporting it on April 8, 2014. That means no more security updates.

Microsoft typically releases security patches on the second Tuesday of each month, what’s known as Patch Tuesday. The next one is Tuesday, May 14. Whether the company will release a patch for this vulnerability before that isn’t known.

For more information about how this situation may be affecting your own website, feel free to contact our team at MGR Consulting Group.  For Microsoft updates, you can also visit Microsoft Security Response Center Blog.