A quick update to last week’s Patch Tuesday briefing. Today, MS released a rare out-of-cycle patch to address a critical issue in Internet Explorer, which I discussed in my write-up last week.This patch (I dub thee MS13-008) affects IE 6, 7, and 8. This is a critical one to address; public exploits to date have targeted government employees and contractors, but this genie is out of the bottle, and broader use is inevitable.
While we’re on the topic of critical patches and miscreants who love them, there’s another one worth talking about. Yesterday, Oracle released a critical patch to Java, which has also been exploited in the wild. The cross-platform nature of Java ensures that this vulnerability affects a wide range of browsers and operating systems, making it a profitable attack vector. The icing on the cake here is that this vulnerability appears to have been baked into a range of crimeware kits, including Blackhole, Cool Exploit Kit, Nuclear Pack, and Red kit, in addition to Metasploit. This is being actively used in attacks all over the globe, and has been for at least the last 1-2 weeks. McAfee Labs has a good analysis of the ongoing attacks.
Calls are going out for users to change their browser, uninstall Java, eliminate enterprise applications that require Java, roll out emergency patches, and otherwise take drastic and labor intensive actions to reduce their exposure to these threats. But that’s a shell game. Software is written by humans, it all has flaws, and it always will. There are better ways to deal with these threats.
I’ve attached the McAfee Labs security advisory covering these 2 vulnerabilities. The advisories show that technologies like McAfee Application Control, Host Intrusion Prevention, and VirusScan Buffer Overflow Protection are all effective in blocking both of these exploits. McAfee Network Security Platform released updated signatures on Jan 1 effective against the IE vuln, and the Java vuln is under investigation. These technologies allow organizations to take critical vulns in stride, and to avoid costly, knee-jerk reactions. McAfee’s Rees Johnson said it well in a recent blog post: relying on anti-virus only will cost you more and make you less secure.