After warning users off IE, what do the security watchdogs say now?

After warning users off IE, what do the security watchdogs say now?

Summary: When news of the critical flaw in Internet Explorer broke last week, agencies across the world suggested users might opt for another browser. Now a patch has been released have they changed their tune?

SHARE:
58

Earlier this week, authorities across the globe were rushing to advise users to minimise or stop their use of Internet Explorer. Now that the flaw that prompted those warnings has been patched, should they take back their warnings?

"Don't use Internet Explorer, unless it is absolutely, absolutely necessary, and then, still use the Secure Mode," the Netherlands' technology cops advised the country's Twitter users on Wednesday.

The Dutch police's Team High Tech Crime (THTC) probably didn't make friends at Microsoft by trashing its browser on Twitter, especially since the tweet encouraged users to switch to Opera, Firefox, Safari, and Chrome as "safer alternatives".

Critical security flaw

THTC's warning came after security company FireEye uncovered a critical security flaw in the browser last week. The vulnerability could allow remote code execution in the event users inadvertently visited an attack website, and the bug already being exploited, the company said.

"FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks," FireEye wrote in a blogpost. "The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.

"Threat actors are actively using this exploit in an ongoing campaign which we have named 'Operation Clandestine Fox'. We believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available." 

Microsoft officially confirmed the vulnerability shortly afterwards, but claimed it was being used in "limited, targeted attacks". It issued a fix for the flaw on Thursday, including for XP versions of the browser.

Time to take back the warnings?

Following the disclosure of the vulnerability, various national IT security authorities — including the US, UK and Australian CERTs and their German and Swedish counterparts — issued warnings alerting consumers to the risks of using Internet Explorer, and possible preventive measures that could be taken, such as downloading Microsoft's Enhanced Mitigation Experience Toolkit (EMET), or switching to an alternative browser.

While the Dutch police also chose to advise users to ditch Internet Explorer altogether, such a move may be over the top, according to the Dutch National Cyber Security Centre (NCSC).

Although the NCSC noted that the threat is only to Internet Explorer as this point, the agency said earlier this week it did believe that installing a different browser was the solution.

"Of course it is possible to install alternative browsers, such as Chrome or Firefox, but then you're essentially fighting symptoms. Our advice is to try and avoid visiting websites you don't know and / or trust and to refrain from clicking hyperlinks in emails you receive," it said.

In addition, the NCSC warned that users who still have Windows XP installed should no longer hesitate and migrate to a later version of Windows as soon as possible since "it is only a matter of time before another part of Windows XP will be rendered vulnerable".

Since a patch has been made available for the flaw, the THTC said whether it considers IE safe to use, but did release the following statement on the NCSC's website: "Microsoft has issued an update, fixing a vulnerability in Internet Explorer. The NCSC recommends installing this update as soon as possible, to eliminate any security threats concerning the use of Internet Explorer.

"Even though Microsoft has ended support for Windows XP on April 8th 2014, the company still decided to release an update for this operating system as well, as an exception. However, those who still use Windows XP, run a great risk of facing another vulnerable part of Windows XP in time. Therefore, with regard to Windows XP, the advice of the NCSC remains to switch to another operating system that is still receiving report."

The US and UK CERTs have also given qualified support to the browser following the release of the patch: after previously advising users to consider using alternative browsers, they're now just recommending users apply the fix Microsoft provided.

"US-CERT recommends that users and administrators review Microsoft Security Bulletin MS14-021 and apply the necessary updates as soon as possible," a bulletin from the organisation said.

Echoing their US counterparts, the UK-CERT said: "It is recommended that users and administrators review Microsoft Security Bulletin and apply the necessary updates as soon as possible."

Read more on Internet Explorer

Topics: Security, Browser, Microsoft, EU

Martin Gijzemijter

About Martin Gijzemijter

Martin began his IT career in 1998 covering games and gadgets, only to discover that the scope of his interests extended far beyond that. Ironically, where he used to cover 'anything with a plug', he now focuses on the wireless world. A self-pronounced Apple enthusiast who can't live without his Windows PC, he writes tech news, reviews and tutorials for the Dutch market and stories about flying elephants for his two sons.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

58 comments
Log in or register to join the discussion
  • Why is this fix from Microsoft only an "Important" update?

    With the potential impact of this security flaw in Microsoft's IE, why is the correction only listed as an "important" fix -- one that many users may not even notice?
    ErstwhileIII
    • if...

      You have a 14 year old son, this was probably critical. For all other average users it's just either low (i.e. Not use IE or don't browse risky) to important.
      To be fair I think it's been somewhat overblown and is in the wake of heartbleed.
      londan
    • where do you get Important

      The MS report is labeled Critical https://technet.microsoft.com/library/security/ms14-021
      greywolf7
      • Windows Update

        On my PC, Windows Update labels this patch as "Important".
        To me, that means "must install immediately" (not optional).
        SlimSam
    • How does "Important" translate to "users may not even notice"?

      Most users have automatic updates enabled, so they wouldn't even realize the patch was applied (other than their PC having been rebooted overnight). Beyond that group, if a user is aware enough to actually read the patch list, my sense is that they're savvy enough to realize that Important patches are ... important.
      dh1760
    • You just nailed it in your comments

      This was a "potential impact". Before the patch was released, the only sites that were under attack were financial and defense. In other words, the everyday users was basically unaffected. That could have changed had other hackers figured out the exploit in time and MS would have updated the status from Important to Critical.

      This exploit, although bad, was a bit overblown on the tech sphere as far as its impact.
      Rann Xeroxx
  • Why do I have to reboot after every IE patch?

    That is really annoying. Almost as annoying programs and websites that only work with IE.
    Mr.B.
    • Thats because the engine of IE is used by the kernel

      to issue messages...

      dumb idea, but thats how tightly they tied IE into the system.
      jessepollard
      • re:

        You state that the "engine" of IE is used by Windows' kernel to issue messages. Do you have a link or some other evidence that backs this up?
        Sir Name
        • He has no evidence, because his claim is nonsense

          He's a troll who strings together jargon into nonsense statements that fool people who don't know what the jargon means. Those of us who actually undertand what the jargon means know it's nonsense, but he can fool others. It's best to ignore him.
          WilErz
        • Why you have to reboot

          The part about the "engine being part of the kernel" is only partially true. System programs like IE use a series of Dynamic Link Libraries (.dll files) that contain code common to a lot of other programs. The idea is that rather than having multiple copies of this code running, programs can save space and some execution time by sharing these libraries of common routines.

          In order to save time, the DLLs are loaded into memory and stay there, especially when they are shared by a lot of programs running on your system. If you change a DLL, it has to reloaded into memory. However, the way these DLLs (Linux and Unix users may know these are shared objects) are managed, you cannot just reload them why other programs are using them. Aside from changing how the library's code gets executed, a change is likely to change the layout. Thus, a program that think the entry to the DLL function is supposed to be at one address is then moved to another. This is not a good thing.

          To stop all programs from accessing the DLL that was updated because of IE, make sure the DLL is reloaded with the fixed code, and the programs that use the library are properly linked to the new DLL's layout, the only way to make this happen without a lot of side effects is to reboot the operating system. This resets everything including the address pointers, which is very important.

          In a way, IE is tied to the operating system, but not in the way it was assumed by the original poster.
          sbarman
          • Most PC software is modular

            Any claim that the "[IE] engine [is] part of the kernel" is not partially true, it's complete nonsense, and absolutely false.

            Firefox, Chrome, Opera, etc. are all made up of modules implemented in various DLLs. That's how most modern PC software is developed. Being part of the OS is a different issue, and the main difference there is that system compontents are distributed with and updated with the OS. Apps that use MSHTML (a system component) don't have to distribute it, are are all updated automatically when MSHTML is updated. Developers that use other rendering engines, such as WebKit, have to distribute the rendering engines themselves, with their apps. They also have to update and maintain the rendering engine themselves, so updates are distributed much more slowly and in a non-uniform way (some apps will be updated right away, some later, some never).

            Having HTML rendering included as part of the OS (but not the kernel!) is clearly the right approach from a technical perspective. It's a pity Microsoft couldn't convince the US DoJ or EC of that. It's even more of a pity that the aftermath of the US v Microsoft led Microsoft to stop investing in IE for a number of years, so it stagnated. It's improved since they started investing in it again, and is or has been ahead of other browsers in a few areas, but still behind in others.
            WilErz
          • You Know It, But...

            ...L. D. will tell you forever and a day that it's to 'recompile the kernel'.
            Contrary to your correct statement; "(Linux and Unix users may know these are shared objects)".
            Thanks for the clear explanation.
            PreachJohn
        • delete it.

          And watch the system crash.
          jessepollard
          • I run several Windows servers

            Running the NT kernel with no sight of IE.

            These systems do not seem to crash and the kernel seems to be perfectly capable of "issuing messages".

            But hey don't let me stop you uttering nonsense.
            sjaak327
      • No it isn't

        Your making stuff up.

        Plenty of machines did not needed ti be rebooted, which as such is ample proof to the contrary.

        Your credibility of course just goes down and down.
        sjaak327
        • ALL of my machines required a reboot

          What does that say about YOUR credibility?
          malcolm@...
          • Nothing

            I have hundreds of machines and some of them required a reboot, some of them didn't.

            The reasons have been explained by some commenters on here. The kernel using it for messaging isn't one of them.
            sjaak327
    • You probably don't have to reboot, but they tell you to, to be safe

      Like most modern software, IE is made up of various components. This vulnerability was apparently in the HTML rendering component, MSHTML, which is implemented in a library (DLL) called mshtml.dll. The MSHTML component is used by IE (iexplore.exe), but also used by a lot of other apps. If you're writing a Windows app that renders HTML anywhere, you have to load some HTML rendering library (unless you're crazy and want to roll your own). MSHTML is the obvious choice, since it's always available on Windows (so you don't have to redistribute it with your app or deal with updating it), is well documented/supported, etc. This is standard code reuse, which is a good practice. On Android, WebView is somewhat similar.

      The trouble is, Windows can't replace the vulnerable version of mshtml.dll with the patched version if it's in use. So, before you can update mshtml.dll, you have to stop every process that's using it. If any process is using the vulnerable component when Windows tries to update it, the update will fail, and Windows will schedule the file replacement for the next reboot, then ask you to reboot. After the reboot, all processes are guaranteed to be using the new, secure version. (It's also possible that the updater doesn't even check, and just lazily assumes something will have loaded mshtml.dll.)

      Unix-like systems (including Linux) have the same issue, but typically handle it differently. Unix will allow you to replace a component even if it's in use, and the old version will disappear from the file tree. However, there's a catch. The old version will remain in the file system (without a file name, so hidden) until all processes using it have exited (at which point it will be deleted). Moreover, processes using the old, vulnerable component will remain vulnerable. So, you have to stop and restart every process that was using the old, vulnerable component (or just reboot the system).

      I prefer the Unix way of doing things, but it can be more dangerous for naive users, because even after the vulnerable component has been replaced with a patched version, the system remains vulnerable until every process that was using it has been restarted. However, since the vulnerable component is no longer visible in the file system, so the system looks safe to a naive user -- but isn't. As with Windows, the easiest solution is simply to reboot, but if you're technically skilled, you can stop/restart all processes using the vulnerable component and skip the reboot.

      PS Ignore the comment by 'jessepollard'. He's a technically illiterate troll who strings together IT jargon into nonsense that sound plausible to people who don't know what the jargon means (a famous Indian guru does the same thing with quantum physics jargon, but anyone who knows anything about quantum physics knows it's nonsense). The Windows kernel does not render HTML, so it does not load mshtml.dll. MSHTML isn't even a kernel-mode, component, it's a user-mode component, and it doesn't send messages either -- it renders HTML).
      WilErz
    • Mr. B, you do NOT have to reboot after "every" patch

      Specifically, for the patch being discussed in this forum, you do NOT have to reboot. I installed it a few minutes ago, and it did NOT ask me to reboot (nor did it force a reboot). Most patches to IE only require re-starting the browser. It's usually SOME patches to Windows that require rebooting.
      jaykayess