By Dr. Samir Kelekar, Senior Consultant, Indusface

Post Heartbleed by Indusface

New critical zero-day vulnerability found in Internet Explorer 6 to 11- this is the news that we woke up to, on this Monday. This vulnerability affects versions of IE from 6 to 11, although exploits available in the wild currently target versions 9 to 11. That is more than 50% of the world’s browsers, as Internet Explorer 9 to 11 constitute about 26% of the world’s browsers. This is a zero-day vulnerability as there are already exploits in the wild and no patch available yet, although one can take measures to avoid getting hacked.

This news comes in wake of Heartbleed vulnerability, that affected OpenSSL a widely used SSL implementation on the internet — a vulnerability that affected almost 2/3rd of websites not to mention SSL clients, and network gear also. The vulnerability affects all Windows Operating Systems from Windows XP onwards as the above browsers are available in these OSes. Now, given that Microsoft has stopped supporting XP and will refuse to make a patch available for this vulnerability for XP, those still using XP will be left in the lurch.

Fix for Internet Explorer’s zero-day vulnerability

The vulnerability can be exploited via malicious sites which are visited via a vulnerable browser or via attachments sent by email. Microsoft is working on a fix, but it is not yet ready. As of now, the following measures can be taken for Operating Systems others than XP to avoid the vulnerability:

  1. Turn on Enhanced Protection Mode (EPM) — this facility is available only for IE versions 10 and 11, disable flash plugin, or download and install Microsoft’s Enhanced Mitigation Experience Toolkit version 4.1
  2. Other measures include not to use Internet Explorer at all. Use chrome, Mozilla, Opera, Safari or some other browser. As Microsoft is not going to come up with a fix for XP for this, the best way out is to upgrade from XP to a newer OS. Some third parties might come up with XP fixes, but we have to wait and see to be sure.

Personally, I use Internet Explorer to access a US government website. May US Federal websites either require or recommend use of Internet Explorer browser. As a result, I have no other option but to use Internet Explorer and use the above fixes. I cannot move to Chrome or Mozilla for the above purpose.

Can you check if you are affected by this critical vulnerability?

As of now, I do not see a site where one can go and check if one is affected or download something that will automatically do configuration changes to your IE so that you are secure. But watch out – it is not unrealistic to expect such sites / services to come up soon, given that more than 50% of browsers on the Internet are affected with this vulnerability.

The bigger concern overall is the huge productivity loss due to time that is going into deploying patches or playing catch up with these vulnerabilities and keeping oneself secure. Is there a way out?

In this particular case, the best option would be to dump XP and move onto the latest Windows OS – that is Windows 8. Other than that, we can only wish for a silver bullet that will come up sometime in the future that will save us the huge productivity losses from dealing with these vulnerabilities.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.