Ok it's late Friday night but it's been a rough day for us security folks especially Microsoft. As I warned in my last blog "zero-day exploit for IE6 flaw released", this is VERY serious and it has all the markings of another WMF nightmare for Internet Explorer 6. There are probably more than 100 sites using the latest IE6 flaw on the loose and it's growing!
According to a Microsoft spokesman I talked to, an out-of-band patch is on the table but nothing has been confirmed yet and they're watching the situation closely to see if an outbreak occurs. Well I think the time for monitoring is over and it's obvious that a public outbreak is on the loose. It's time for Microsoft to hurry up and finish testing their patch and release the fix as soon as possible, yesterday if possible!
Right now there are some reasonably feasible solutions for Windows PC users:
- Disable active scripting, for Enterprise and for the home.
- Enable hardware-enforced DEP if you have the right hardware. See my DEP guide.
- Use an alternate browser like Opera or Firefox.
- Do not run Windows as an Administrator.
Each one of these solutions are less than desirable in one aspect or another. Here is a explanation of the options.
- Disabling active scripting is the official workaround from Microsoft. It does work 100% of the time, but it also breaks a lot of websites and you'll have to individually add legitimate sites that need active scripting to your trusted IE zone.
- Enabling hardware-enforced DEP and enabling it for all services and programs seemed to work like a charm. When I tested a malicious site, hardware-enforced DEP protected me 7 out of 7 times! Without the hardware-enforced DEP, the malicious website successfully launched a massive number of exploits 2 out of 2 times. Hardware-enforced DEP works preemptively without any patches to the OS or anti-virus software which is extremely desirable. The problem is that only the newest computers have it. The problem with hardware-enforced DEP is that not everyone has the right CPU. There are still some new computers being sold today that don't have hardware-enforced DEP capability. Most old computers don't have the capability. Again you should see my DEP guide and see if you can use it to protect yourself because it's great if you have it. The WMF exploits were also stopped dead in their tracks by hardware-enforced DEP.
- Using a browser like Opera or Firefox at least for the time being if the last two options aren't feasible to you is probably a good idea at least until the storm blows over and a patch is available. Opera seems to be the least flawed of the bunch and Firefox has actually had more flaws per month than Internet Explorer, but Internet Explorer is still a favorite target because of how ubiquitous IE is. The only issue with Firefox and Opera is that it won't run on some websites and Intranet applications.
- Not running as Administrator is always a good idea on any computer or operating system you use. The problem with this on the Windows XP platform is that not all software is compatible with non-administrative access and Windows XP defaults to Administrator mode.