Vulnerabilities / Threats
1/19/2010
05:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

7 Steps For Protecting Your Organization From 'Aurora'

Microsoft patch is imminent, but here's a checklist for locking down in the meantime

Microsoft today confirmed it will release an out-of-band emergency patch for the previously unknown Internet Explorer vulnerability that was abused in the attack against Google and others, and amid concerns the threat could be used for more widespread attacks.

The so-called "Aurora" attack exploit on IE 6, which was unleashed in the wild late last week, has raised alarm as researchers demonstrated the exploit code can be retooled to attack IE 7 and IE 8 as well, and can bypass Data Execution Protection (DEP). So far, just a few attacks have actually been spotted in the wild, according to Websense.

George Stathakopoulos, general manager for Trustworthy Computing Security at Microsoft, said in an interview today that Microsoft has seen attacks thus far only on IE 6, and the attacks have been targeted and not widespread. "But we expect that landscape will change as time goes by," Stathakopoulos says. So Microsoft decided to patch the flaw ahead of its next Patch Tuesday in February; the software giant will announce tomorrow exactly when that patch will be available, according to Stathakopoulos.

Though the exploit is just one piece of the puzzle in the attacks out of China, it's what we know for now and can at least try to mitigate, security experts say.

"Ultimately, vulnerabilities happen. They happen to Web browsers -- all of them -- they happen to document readers -- all of them -- and they happen to operating systems and even network infrastructure," says Dan Kaminsky, director of penetration testing for IOActive. "Things will get better over time -- IE 8 on Win7 is pretty solid, and all signs out of Adobe are that Acrobat is really getting worked over. In the meantime, we have to respond to attacks as they come."

So with the exploit code taking on a life of its own and an IE patch on the horizon, how do you protect your organization in the meantime? There's no guarantee your company won't eventually get targeted or hit with this exploit or some variant, but here are some steps Microsoft and other security firms recommend you can take now to help defend yourself:

1. Upgrade to IE 8 if you're an IE shop.
Despite concerns that IE 8 also could be compromised by the attack, Microsoft is still recommending the newest version of its browser as the safest.

Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, warns, however, that IE 8 on Windows XP SP3 isn't safe from this exploit, thanks to the latest research findings. "IE 8 on Windows Vista SP1 and above or Windows 7 is considerably more difficult to exploit," he says.

2. Enable DEP in IE.
DEP is automatically enabled in IE 8 on XP SP3, Vista SP1, Vista SP2, and Windows 7, but other versions of the browser require manually selecting DEP.

3. Run IE in Protected Mode on Vista and newer versions of Windows.
Microsoft says doing so limits the "impact" of an attack on the flaw.

4. Warn users about suspicious links that could be used for this attack or Websites containing online ads or user-generated content.
A user has to click on the malicious link to get infected with the malware, so remind people to be careful about links in email and instant messages, and to take care on the Web.

5. Limit user privileges.
If an attacker victimizes a user with administrative rights, then he would have the same access as that user.

6. Set Internet zone security in IE to "high."

7. Update all third-party applications with the latest versions and patches.
"Asking people to use a browser [other] than IE is not going to help one bit, unless the user also patches all other programs," says Thomas Kristensen, CSO at Secunia. "The reason is actually quite obvious -- more than 60 programs are installed on the average PC, approximately one out of five programs on the average PC are vulnerable, [and] some of these programs go unpatched for months, even years."

Meanwhile, security researchers say while the exploit used in the attack wasn't especially sophisticated or unique, it's still a real risk. "I think the ease of this exploit is dangerous," says Lucas Lundgren, a security researcher. "It's another day, another exploit, [but] every enterprise should take these threats seriously."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.