Microsoft IE Out of Band Patch – Install it now!

I was trying to explain just HOW important this patch was to someone today….   and finally I found a great explaination from Mark Minasi in his newsletter today.    Suffice to say, deploy the patch NOW!

http://www.minasi.com/newsletters/nws1001b.htm

From that newsletter:

“Install Today’s IE Patch.  Really. Do it.  Now.

Here’s a very, very important item.  The short version is that today, 22 January 2010 Microsoft released a patch (MS10-002, KB 978207) for a very dangerous hole in IE, and my advice is to install it today.  (Go to Windows Update, it’s there now.)

Here’s why I counsel the urgency.

You may know that on the 12th of January, Google reported that someone had launched a large-scale attack on their and other people’s servers in an attempt to gather information about Chinese dissidents.  Google’s specific example was that the attacker tried to access the dissidents’ Gmail accounts, but the buzz on the Web has been that whoever launched the attack was pretty successful at gathering a whole boatload of intellectual property.  But how did the Chinese government attackers unknown hackers do it?  The answer arrived a couple of days later in a blog post by McAfee’s CTO George Kurtz:  a zero-day IE exploit.

Apparently the problem involves an invalid pointer inside IE.  What that means in English is that this bug, similar to the “buffer overflow” type bugs we saw in Code Red and SQL Slammer, allows a bad guy to reach into your computer and instruct IE to do, well, anything to your computer:  shut it down, delete files, upload some data from your computer to the bad guy, and the like.

Here’s a simple example of how this would work.  Let’s suppose that Bad Guy wants to keep you from running Solitaire because Bad Guy once lost $10,000 in Vegas on Blackjack and he figures that computer card games like Solitaire are the “gateway drug” that eventually leads to real cards and real bets.  (Okay, it’s a silly example.)  Bad Guy does this by creating a Web page with useful information on it like, say, a complete listing of all of the upcoming shows in Vegas.  (See the clever social engineering?  This guy is an evil genius.)  The web page has text explaining the shows; it’s got pictures and videos to keep your attention… and a quiet little browser-side script.  Unless you’ve got your IE security settings positioned at “I trust no one at all”  — which sounds great until you actually try to access 99% of the perfectly innocent Web pages out there — then the script is silently downloaded and executed.  (I am simplifying, but this is basically how it happens.)  The script then uses this invalid pointer to hand IE a bunch of code, and tells IE to execute that code. 

Now, in the case of my silly example, the code would say, “ask the system if a process named ‘Solitaire’ is running and, if so, tell the system to kill that process,” but, as I said earlier, this could be any piece of code at all — delete files, slow down your system, email your mother all of the JPEGs on your hard drive, you name it.  The only restrictions on the code would be that it runs as you, and so it can’t do anything that you can’t do.  But even the most limited-power user could shut down apps that she was running look in most folders, or access any credit card information she keeps on her computer.  The generic phrase for this kind of attack is called a “run code of attacker’s choice,” and anything with that ability is very dangerous.

So why’s this different from other “run code of attacker’s choice” patches?  I mean, we see about a half-dozen RCOACs out of Microsoft a year, right?  The difference is that this is one of those cases where the attackers knew of the IE bug before Microsoft did, and instead of telling Microsoft about the bug, they wrote their own evil, cowardly program to exploit that bug.  It might have gone like this:

  1. Write an exploit that says to IE, “hey, if you happen to be on a network that’s connected to Google servers and you happen to be an admin on those servers, go grab any Gmail accounts from the following names and post all of their messages to the following server.”
  2. Package that exploit into a nice little script.
  3. Put that script onto a Web page that a Google employee would be likely to visit.  Or, better yet, put it on lots and lots of Web sites to increase the chances of that ideal victim — a Google admin with access to Chinese Gmail accounts — visiting the site.  (Of course, I have no idea what people in China would have the power to direct the folks running well-trafficked Chinese Web sites insert this script.  No idea at all.)
  4. And… wait.  In time, something good will appear on the “harvesting server.”

The good news is that there is a patch, as I’ve already said. The bad news is that what I know, the bad guys know, and so at this point there are many, many sites all around the world that have been infected that have nothing to do with the original Google attack, and so viewing those sites with a vulnerable copy of IE would do… well, I have no idea what it’ll do, and that’s the point.  If you are using IE to view Web pages and your IE is not patched, then you could be letting yourself in for anything, and that’s not just a hypothetical case because, again, the exploit code is already on the Web.  A bad guy with half a brain can get it running, and lots of half-brained guys want your credit card number.  What’s the probability that one of your employees will visit one of those sites?  I have no idea, but it does occur to me that with every second that goes by, that probability increases.  Tick, tick, tick…

Finally, you will read a lot that this only affects IE6, not IE7 or IE8.  That’s not entirely true, as researchers have reported that while IE7 and IE8 still have the invalid pointer bug, the result of viewing infected Web pages is more often an IE lockup or nothing at all… but on some systems, exploit code has been made to work on IE7 and IE8.”

Social