Microsoft Internet Explorer (IE) tends to be the standard web browser used today, especially in the federal government. However, the U.S. Department of Homeland Security (DHS) recently urged users to find alternatives to IE versions 6 to 11 due to serious security issues.
The U.S. Computer Emergency Readiness Team (US-CERT), which is a part of the DHS, stated that they have become aware of an “active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.”
Clicking on a malicious link could allow threat actors to swiftly gain unwelcome access to end-user computers and provide them with privileges of an authorized user. According to the US-CERT release, “By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.” US-CERT also stated that they were unaware of a practical work-around solution to the problem.
I believe there are a few basic steps that can be implemented. As of May 1st, Microsoft completed the investigation into a public report of this vulnerability and has issued MS14-021 to address this issue. For more information about this issue, including download links for an available security update, please review MS14-021. In addition, there are some standard daily practices that users and network administrators should consider as part of regular security health checks.
Newly discovered vulnerabilities and threats like Heartbleed, Cryptolocker and the IE security hole we are writing about call for a security strategy built on resiliency. As part of our Cyber Security Lifecycle Approach, we recommend the following:
- Think before you click on unfamiliar sites
- Update your OS and browsers frequently
- Continuously scan your systems to verify that they are in a compliant state with the latest patches and proper configurations
- Create strong passwords and utilize different passwords for different types of systems, applications and sites
- Leverage more than one type of browser; utilize different browsers, (Firefox, Chrome, Safari, etc.) for different web applications and social sites
- Enable email spam and web content filters to help limit your risk from spear phishing attacks and malicious sites
We don’t believe that organizations are ever going to get in front of the security threats, because we know the bad guys are motivated to be faster and targeted and are becoming more sophisticated with their attacks. That said, organizations must not consider security to be a checkmark in a box. It is a cyclical approach that must be revisited, analyzed, tested and tweaked often.
COMMENTS