Microsoft has said it will release a patch on Thursday to fix the Internet Explorer 6 flaw that hackers used recently to attack Google and other large companies. The attacks have triggered a slugfest between Google and the Chinese government.
While the flaw can also be exploited in Internet Explorer 7 and 8, most of the attacks so far have been against IE6 on Windows XP because this combination of browser and operating system seems to be the most vulnerable.
The situation raises the question of why large corporations continue to use IE6, which is now eight years old, when newer versions are readily available. Answers range from technical reasons to a lack of understanding of the current security threat landscape.
Plugging the Holes
Microsoft will release the patch, MS10-002, on Thursday, Jerry Bryant, its senior security program manager, told TechNewsWorld. The vendor issued advance notification of this on Wednesday in a security bulletin.
The update will come as close to 10 a.m. PST as possible, Bryant said. While the patch is out of band, meaning out of Microsoft’s normal patch release cycle, it is a cumulative update that contains other updates originally targeted for release in early February.
The patch “addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities,” Bryant said. “Once applied, customers are protected against the known attacks that have been widely publicized.”
The Nature of the Beast
Microsoft continues to see limited attacks, and so far the only successful ones have been against IE6, Bryant said.
That’s because the particular way this attack was crafted only allows it to exploit the flaw when IE6 is running on Windows XP, Richie Lai, director of vulnerability research at Qualys, told TechNewsWorld. “As released, it would not have worked on Vista or higher platforms because DEP and ASLR are enabled on the newer platforms, which mitigate the attack,” Lai explained. “Also, IE6 cannot be installed on newer versions of Windows easily, since they ship with a higher version of the browser.”
DEP, or Data Execution Prevention, is a security feature in modern Windows operating systems that doesn’t let an application or service execute code from a non-executable memory region. This prevents certain exploits that store code through a buffer overflow.
ASLR stands for “address space layout randomization.” It is a computer security technique in which the positions of key data areas, including the base of the executable and the positions of libraries, heaps and stacks, are arranged randomly in a process’s address space. This makes it more difficult for an attacker to guess and, therefore, attack target addresses.
However, the attack can be tweaked to hit IE 7 and IE 8 on Windows XP. “For example, IE 8 on Windows XP Service Pack 3 has DEP enabled, but since XP does not have ASLR in the kernel, it can be bypassed,” Lai pointed out.
A combination of both DEP and ASLR is harder to break. “Security researchers have come up with a few samples that supposedly bypass DEP, but I don’t believe anyone has been able to defeat ASLR and DEP,” Lai said. For example, IE 8 running on Windows 7 would be very difficult to exploit because both DEP and ASLR are enabled, he pointed out.
Clinging to the Past
Despite being two generations behind the browser’s current version, IE6 is still widely used among corporations. “Even here at Qualys, we see that the majority of visitors to our Web pages use IE6,” Lai said.
Why cling to an eight-year-old browser? Many enterprises are running Windows XP, and upgrades to IE 7 and 8 are free, so why don’t corporations upgrade? Furthermore, hackers have increasingly been using Web-based and browser-based attacks to get to their victims. Meanwhile, enterprises are flocking to Web 2.0 and setting up user communities and spaces for user-generated content on their Web sites, further increasing their exposure.
Wouldn’t any IT security manager be rightfully concerned? Many enterprises may not have upgraded because they aren’t as aware of security threats as they should be, Scott Crawford, a research director at Enterprise Management Associates (EMA), told TechNewsWorld.
“As far as not keeping up with more current browsers, this may be because too many organizations still do not recognize the reality of the threat landscape and the increased focus on Web and browser vulnerabilities,” Crawford said.
Another reason could be that corporations don’t like change, pointed out Rob Enderle, principal analyst at the Enderle Group. “Once IT locks onto a technology and standardizes on it, getting them off it is like pulling hen’s teeth,” he told TechNewsWorld.
That unwillingness to change is partly due to a combination of technical factors. “IE6 was when corporations locked down on IE and got off Netscape Navigator, and for a while, Microsoft didn’t really make any major changes in the browser, so when IE 7 came out, there was no real need to move,” Enderle explained.
The day-to-day grind of IT maintenance also plays a role, EMA’s Crawford said. “There seems to have been an overall lag in the recognition of exposure to Web-related threats on both the server and client sides,” he told TechNewsWorld. “This is not unusual in security, where countermeasures tend to lag behind threats because they respond to the threat environment.”
Some good might come out of this latest zero-day exploit, Qualys’ Lai pointed out. “This is a great wake-up call that companies need to update the software that is crucial to their business,” he said.