IE Zero-Day Vulnerability, Security Advisory 2963983

[Corrine]

Microsoft released Security Advisory 2963983 which relates to a vulnerability in Internet Explorer.

 

With the vulnerability, an attacker could cause remote code execution if someone visited a malicious website with an affected browser. Generally, this would occur by an attacker convincing someone to click a link in an email or instant message.

 

Although the vulnerability affects all versions of IE, at this time, Microsoft is aware of limited, targeted attacks, in which the exploit observed appears to target IE9, IE10 and IE11.

 

Recommendations are available in Microsoft Security Advisory 2963983 as well as my blog post, Security Advisory 2963983, IE Zero-Day Vulnerability which includes additional references.

[Guest LilBambi]

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product's support has expired -- as is true now about Windows XP SP3 since April 8, 2014 -- Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

• a hardware router with Stateful Packet Firewall
  
• should be using a 'real' software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET's Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  
• block Internet Explorer through the ESET or other software firewall.
  
• should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  
• uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  
• need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  
• no risky behavior
  
• no banking ... note very soon banks will be disallowing expired Windows XP entirely anyway.
  

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here's a quote from a ZDNet article:

To those planning to

stick resolutely with the aged Windows XP

operating system even after Microsoft ends support next year, the

advice from experts

is simple: Don't do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

This was part of my posting today here.

[raymac46]

Good advice in the link about converting to Linux. However I still believe that installing and configuring an operating system is beyond the capabilities of the average XP refugee. It takes some help from a Linux advocate.

As far as using LM 13 good idea unless your "client" decides on the newest HP printer - in which case be ready to install the latest HPLIP and hope that an "update" doesn't revert to an older version and hose your printing capability. Printers are a must for older folks as they want paper documentation. Right now I have a lady in this situation and I am waiting for LM 17 so that I can fix her up for a few years.

Edited April 27, 2014 by raymac46

[Corrine]

Microsoft Internet Explorer Use-After-Free Vulnerability Guidance | US-CERT

US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser.

 

UK Government officials have also advised using an alternate browser: UPDATE 2-US, UK advise avoiding Internet Explorer until bug fixed: Thomson Reuters Business News - MSN Money

 

Google Chrome and Mozilla Firefox (as well as Pale Moon) run on Windows XP and will receive security fixes until at least April 2015.

[Guest LilBambi]

Good advice in the link about converting to Linux. However I still believe that installing and configuring an operating system is beyond the capabilities of the average XP refugee. It takes some help from a Linux advocate.

As far as using LM 13 good idea unless your "client" decides on the newest HP printer - in which case be ready to install the latest HPLIP and hope that an "update" doesn't revert to an older version and hose your printing capability. Printers are a must for older folks as they want paper documentation. Right now I have a lady in this situation and I am waiting for LM 17 so that I can fix her up for a few years.

 

Yep, so true. That's why I offer some thoughts on that at the bottom of my blog posting that I linked to.

 

Microsoft Internet Explorer Use-After-Free Vulnerability Guidance | US-CERT

 

 

UK Government officials have also advised using an alternate browser: UPDATE 2-US, UK advise avoiding Internet Explorer until bug fixed: Thomson Reuters Business News - MSN Money

 

Google Chrome and Mozilla Firefox (as well as Pale Moon) run on Windows XP and will receive security fixes until at least April 2015.

 

 

Yep!

[Guest LilBambi]

However, because some malware has been known in the past to call other software such as IE (especially if the timing is such that they can mix this with another vulnerability such as in Flash, etc.), there may still be a chance that the bad guys could then make use of the IE Zero-Day (in XP in particular) since it isn't going to be fixed (whenever Microsoft gets around to fixing it for the still supported Windows versions).

 

This is why not only using another browser, but blocking IE through the software firewall OR using EMET v3 might be very important as well if one is foolish enough to continue to use XP on the Internet.

[Corrine]

An out of band security update is being released today. In a surprising move, Microsoft has indeed decided to issue an update for Windows XP users!

 

MSRC Blog Post: Out-of-Band Release to Address Microsoft Security Advisory 2963983

[Corrine]

The update has been released. See Out of Band Security Update for IE Zero-Day Vulnerability

[Guest LilBambi]

It looks like they have not updated the previous postings as yet however, the Microsoft Security Bulletin MS14-021 - Critical shows affected including Windows XP SP3 for IE6, IE7 and IE8 being affected. So that certainly does imply that they are doing the Out-of-Band Security Update for Security Update for Internet Explorer (2965111) does include Windows XP SP3 for IE6, IE7, and IE8.

 

And since Microsoft only shows affected versions if they are affected AND will be included in the patch. Usually updates only include currently supported versions of Windows, so including Windows XP SP3 is certainly a welcome but unexpected inclusion.

 

Wise move by Microsoft!

[zlim]

I just patched our 4 Win 7 computers and the one XP partition on a Win 7 computer.

 

XP needs to be rebooted after the patch; Win 7 does not.

[ebrke]

Thanks for the info, Corrine! I guess I'll update the XP partition left on my now openSuSE laptop. Other Win 7 laptop has no notification for an update yet--guess I'll wait until tomorrow and then update manually.

[Guest LilBambi]

When I said that it was a wise move by Microsoft, I really mean that!

 

 

Here’s the April 2014 Desktop Share in the Operating System

breakout from NetMarketShare.com:

 

 

 

NetMarketShare – Operating System – Desktop Share – April 2014

 

Windows XP is still #2 Operating System around the world

as of the end of April 2014

 

#1 Windows 7 is 49.27%

 

#2 Windows XP 26.29%

 

#3 Windows 8/Windows 8.1 combined: 12.24%

 

(Combined both:

Windows 8 at 6.36% ~&~ Windows 8.1 at 5.88%)

 

 

#4 Mac OS X 10.7/10.8/10.9 combined: 6.09%

 

(Combined current supported versions:

Mac OS X 10.7 at 0.96% ~&~ Mac OS X 10.8 at 1.06% ~&~ Mac OS X 10.9 at 4.07%)

 

#5 Windows Vista at 2.89%

[Guest LilBambi]

Thanks for the info, Corrine! I guess I'll update the XP partition left on my now openSuSE laptop. Other Win 7 laptop has no notification for an update yet--guess I'll wait until tomorrow and then update manually.

 

I just got mine on my XP Pro in VirtualBox. I left it for over an hour online after it got it's ESET Smart Security update waiting for it to get the IE Fix but it didn't get it. So I went to Windows Updates on the Start Menu and got it right away after it did it's normal search for what updates it has already. Did great. Now offline.

[Guest LilBambi]

 

 

There's mine!

[Guest LilBambi]

Got mine on the WinXP Home Sony laptop and it came in on its own through automatic updates within about 1/2 hr.

[ross549]

i am amazed that xp (i.e. 6 through 8) is being patched. shocking. why is that a good thing? does it not encourage us (me included) to continue to use xp on the internet? - sounds like a bad idea...

 

I agree 100%. This only prolongs the inevitable.

[crp]

XP is being updated since it is so to the cutoff and there are still roughly 200 million internet users of it out there. Keep that number when comparing to other companies and previous versions of msWindows, that is a huge comparative number of users.

[ross549]

http://steve.grc.com/2014/04/28/a-quick-mitigation-for-internet-explorers-new-0-day-vulnerability/

 

This vulnerability requires some really convoluted methods to get into the system.

 

With most recent exploits, the path to exploitation is convoluted and complex and this one is no exception. In this case it depends upon encountering malicious Web content with IE’s ActiveScripting and ActiveX enabled (which is the default in both cases). That will load an Adobe SWF (Shockwave FLASH) file which first prepares the machine for exploitation, then uses Javascript against the vulnerable version of IE (presently all versions of IE) to exploit a subtle flaw in the age-old and long-ago deprecated VML (vector markup language) rendering library. (Which is, nonetheless, still hanging around “just in case.”)

[Guest LilBambi]

Most are, but they still can happen quite easily.