17Dec 08
IE zero day: Money v tubes? Choose one
Posted by Liam Tung @ 12:44 7 comments
In light of the unpatched IE zero day, AusCERT has cautiously advised organisations to "consider" using an alternative browser; or even kill browsing altogether. For organisations with locked down computers, is it time to support two browsers?
I had a funny discussion yesterday with AusCERT's general manager Graham Ingram.
He was being coy about the advice they'd given — "consider using another browser until a patch has been issued" — which, from a home user's perspective seemed pretty sensible but for a major corporation might be impractical or simply impossible.
Every version of IE is exposed, and as Stephan Chenette, manager of Websense's US research division told ZDNet.com.au last week when it thought only IE7 was affected, this flaw is "critical" because it can be exploited with virtually no user interaction — the victim need only navigate to a website that has been armed with the exploit code.
Highlighting just how critical this flaw is, Microsoft last night announced it would issue an "out of band" patch tomorrow — a rare event which, according to AusCERT's Ingram, would have been a "Herculean" feat even for Microsoft.
As I was editing this blog one last time before pushing it live, Microsoft Australia sent an email to ZDNet.com.au advising that the patch will be ready by 5am tomorrow, 18 December. In fact, it's so spooked by this it's hosting a special webcast tomorrow at 8am for Australian eastern states.
Although zero days like this don't happen every day, we can be fairly sure it is only a matter of when, not if, there will be another. So a quick fix would be to immediately switch to an alternative browser such as Firefox, Opera, Chrome or Safari. If you like IE come back to it when Microsoft has released a patch.
But it's a different game for high security organisations like government agencies, banks etc. which in many cases "lock down" computers, usually with some cocktail of Microsoft software and inevitably IE in the mix.
So I was thinking then, why not, for the locked down environment, support two browsers? Stupid idea? Maybe.
IBRS security analyst James Turner thought supporting two browsers was silly and costly. He suggested "organisations question whether everyone actually needs web access".
AusCERT's Ingram agreed that if concern over this flaw was great enough, organisations should simply kill browsing altogether. But can you imagine seven whole tubeless days?
So how important is the web for business? I would say it's pretty darn vital as the majority of workers legitimately access the web to help them do their jobs. Even classically non-work services like YouTube or Twitter have become useful tools in some industries.
So how are you dealing with this issue? Do you support more than one browser? Does everyone in your organisation need internet access? Will you be patching tomorrow?
3%
2%
Our organisation although small (8 pcs) relies on IE and also completely dependent on Microsoft software of course.
Personally I'm implementing a change to Firefox on all our systems regardless of the current problems. As it's Microsoft there will be more problems later as well!