Internet Explorer vulnerability CVE-2014-1776

-----------------------------------------------------------------------------

An update: Microsoft has released an out-of-band security update to address this issue, even on now-unsupported Windows XP systems.

http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx

 This update will happen automatically unless automatic updates are disabled on a given system.

-----------------------------------------------------------------------------

There has been a great deal of press about this, but few answers. We have attempted here to offer alternatives and a little perspective.

Summary:

Until Microsoft releases a fix for this issue, you can:

Use Google Chrome (Download Chrome and allow it to become your default browser, for now)

or

Disable Flash Player in Internet Explorer(just use these instructions but select Disable instead of Enable)

or

Ask us for help. That’s what we’re here for!

More information:

This vulnerability affects nearly all versions of Internet Explorer still in use. As our clients know, for a variety of reasons we recommend against the grain of popular (if ignorant) culture: use Internet Explorer. This means Internet Explorer 10 or 11, which, for whatever lack of cool the popular culture finds with them, are still the most secure browsers available. (http://www.interconnected.com/interconnectnow/2014/4/29/browser-security-an-update-for-2014.html). For users of MacOS or people who use both, we recommend Google Chrome as a reasonable second choice.

For now, a serious exposure exists that can under certain narrow circumstances compromise computer security  on a computer using Internet Explorer. While there has been no fix yet from Microsoft, and no definitive statement from Symantec or other antivirus / firewall providers about their ability (or lack thereof) to mitigate this, there are steps users can take.

One prudent path, regardless of which of the following alternatives one chooses, is to avoid, for the time being, visiting web sites with which you are unfamiliar. Going to Fedex, or LL Bean, or Amazon.com is not going to compromise your computer, no matter what browser you are using. Searching for things and visiting oddly-named web sites that are the results of that search, might. Browse with a little more caution until Microsoft resolves this issue.

Beyond the above, here are some alternatives:

Do nothing. Most people will follow this path. This vulnerability has been there for years and hasn’t affected most computers. This is the same logic that allows people to drive for years without wearing a seatbelt or a motorcycle helmet. It’s risky, but a lot of people do it and only a small percentage of them pay any price for this risky behavior.

Switch browsers. This is the simplest solution. You can use another browser until Microsoft patches this. Some have advised using Firefox, which arguably puts you more at risk than doing nothing, due to the overall low security provided by Firefox. If you feel like using an alternate browser, use Google Chrome. Keep in mind that apart from the current vulnerability, which will be fixed, Chrome is in general not as secure as Internet Explorer, and we do not recommend using it as your primary browser except in these and other narrow circumstances. The exception to this is for MacOS users, for whom Chrome is the most secure browser generally available. We do support having Chrome installed on a system as a backup in case of issues with Internet Explorer.

Chrome is here:  https://www.google.com/intl/en/chrome/browser/

Disable pieces of IE that are required for the vulnerability to be used. If you must or prefer to use IE, Symantec has developed a way to stop the vulnerability by unregistering a piece of IE that is exploited by this issue:

Disable vgx.dll. Users can consider mitigating the issue by unregistering a DLL file named VGX.DLL. This file provides support for VML (Vector Markup Language) in the browser. This is not required by the majority of users. However, by unregistering the library, any application that uses the DLL may no longer function properly. Also, some applications installed on the system may potentially re-register the DLL. With this in mind, the following one line of instruction can be executed to make the system immune from attacks attempting to exploit the vulnerability. This line of instruction can be used for all affected operating systems:

"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

We have developed a batch file that can be used to perform the task for those who may be required to administrate large IT infrastructures.

Note: Users will need to rename the file using a .bat extension.

The batch file has the ability to verify the current state of the DLL file and unregister the DLL as needed. The script outlined in the batch file is very simple and can be used as a basis to customize the code to fit the needs of certain system environments.

Although no special tool is necessary to mitigate this particular vulnerability, please note that recommendations, such as the one provided here, may not be possible for future vulnerabilities. We recommend that unsupported operating systems, such as Windows XP, be replaced with supported versions as soon as possible.

Disable Adobe Flash for Internet Explorer. According to FireEye, the organization that identified this defect, “…the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.”

Notes: Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

Microsoft will fix this issue in Windows Vista, Windows 7 and Windows 8 systems.  If you are still running Windows XP, and you’re a client of Interconnected Technologies, we have discussed the issues with this for some time. This newly-identified vulnerability is the first obvious occurrence of an issue that will not be fixed by Microsoft in Windows XP, which is no longer supported.

And, as always, if you are a client, or would like to be, please contact us to discuss this issue if you have questions.

It’s been pointed out that we haven’t updated this topic for awhile. In case you have been wondering, some interesting changes, and some interesting consistency, here:

https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware

For this key source of malware – Socially Engineered Malware, Internet Explorer remains at the very top, as it has been for some time, Chrome is a pretty good third place, and Firefox and Safari are, as they have been for several years, at the very bottom. Our recommendations for browser use are unchanged: use the most secure browser available on your platform, keep your operating system up to date, and use Norton Internet Security.

(Note: at this point we do not have enough information about the two new Chinese browsers to make a recommendation regarding them one way or another)

There has been a great deal of press about this vulnerability in recent days, and it’s difficult to determine exactly what an individual’s exposure is, reading through the coverage. Think of the Year 2000 issues but imagine if everyone had just realized the issue on December 31, 1999. On a smaller scale, that’s pretty close to the chaos that’s ensued since this was identified.

Generally, there is little a user of the internet can do directly to protect him/herself from this, since this exposure happens on a service provider’s serverand not on the user’s computer. Further, while many security vulnerabilities give the bad guys access to stored information (credit card numbers, passwords, account numbers, etc.), this one gives unauthorized access only to a snapshot of what happens to be in a server’s memory at a point in time. A subtle difference, but an important one when considering the exposure.

Our best advice: if you’re worried about a given password – either because it’s for a service that was affected, or because you use it in multiple places, or “just because”, then change it. Change it to a “good” password. One that is 8 or more characters long, and uses three of these four groups: upper case letters, lower case letters, numbers, special characters. Don’t use your name, or your dog’s name, or your birthday (or your dog’s birthday) in the password. If you use a word or number in the password, make sure it’s not one that can easily be tied back to you. For example, DAF!090657 technically would be a “strong” password, but it could be cracked, if I used it, in a fraction of a second by password cracking software. Passwords that are a random jumble of letters, numbers and special characters are best, but are hard to manage unless one uses a password manager like Roboform or LastPass.

Keep in mind that if a provider of service for you has identified but not yet patched this exposure, you’ll have to change the password again after the service is patched. If you use the same password (as you should not) for multiple online services, then you put yourself at additional risk for two reasons: 1) because a password mined using a vulnerability like this could be used to access your information at multiple online services, and 2) because, if you change your passwords now but one or more smaller services you use hasn’t patched this vulnerability yet, you’ll have to change them all again. You should never use the same password at multiple sites, for just these reasons. For now, changing your password at larger, affected sites, monitoring email traffic about online services, and monitoring credit card statements, is about as much as a user can do.

Broadly speaking, Amazon.com, Apple services (me.com, icloud.com), eBay, Evernote, LinkedIn, Microsoft services (msn.com, hotmail.com, outlook.com), PayPal, Twitter were not affected by this.

Broadly speaking, Amazon Web Services, Dropbox, Facebook, Twitter, Google/Gmail, and Yahoo were affected, and have patched their systems to eliminate the exposure. It would be a good idea to change your passwords at these services.

You’ll notice I mentioned Twitter in each group, above. See how hard it is to tell?

If you have a service provider that is not one of the big ones (a regional bank, or smaller provider of some service), you should contact that provider to determine its status.

From a service provider perspective, the services that are at the heart of what Interconnected Technologies uses and recommends for our clients were not and are not vulnerable to this issue. Zendesk (our helpdesk service), Freshbooks (our time tracking and billing service), PayPal and Stripe (our credit card processing service), Wells Fargo (our banking service) Rackspace (Exchange service), Jungledisk (backup service), Egnyte (file services) and all services from Microsoft were not affected by this issue.

Only one service widely used by some Interconnected Technologies clients, Google Apps, was vulnerable to this, since it’s based on Gmail. Google patched the vulnerability immediately, and so the cautious approach would be to change any Google / Gmail / Google Apps passwords now. Contact us if you have questions about this or need help doing this.

These are some reference sites for this issue. A quick look will show that things are still in a state of flux as of this writing:

• https://lastpass.com/heartbleed/
• https://filippo.io/Heartbleed/
• http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

This is a very fluid and murky situation in which we find ourselves. The outline above is a good general guide, but as always we stand ready to provide our clients with tailored advice and solutions for their unique situations and needs.

Interconnected Technologies uses the services of a great company called LogMeIn. We use several of their products, but this article deals with the one most central to our operation: LogMeIn! Yes, this product has the same name as the company. They started with this product, and have expanded to quite a nice line of services. But I digress.

LogMeIn is obsessed with security, as it should be as a company that allows one computer to access another, or many. Part of that obsession involves a limit to the number of times one can try to access a remote computer before the service will simply disallow any further attempts. This can be a good thing, as in the case where someone is trying to gain unwanted access to your computer, or a bad thing, as in the case where you (or we) have tried to access a remote computer too many times with the wrong password and have been locked out.

Let’s deal with these two possible reasons for this happening:

Reason 1: Someone other than you or we tried to gain access to your computer. Here’s how to fix this: call us.

Reason 2: You (or we) tried to access your remote computer too many times with the wrong password. Here’s how to fix this:

1. Find the LogMeIn icon down in the lower right corner of the screen. The icon looks like a smaller version of this:
   
   
   
2. Double click that icon to bring up the LogMeIn status window:
   
   
   
3. Select the Options tab on the left of the window, and click on the Preferences button in the middle of the resulting window:
   
   
   
4. Once in Preferences, select the Security tab in the middle at the top of the window, and scroll all the way to the bottom of window:
   
   
   
5. Here you will see an indication of one or more blocked IP addresses. In the bottom-most section, click on Unblock all button to remove the block.
6. That’s it!.

Remember if you don’t know why an address is blocked, see the advice under Reason 1, above.

We’ve posted this before – on April 8, 2014 support for Windows XP ends:

http://www.interconnected.com/interconnectnow/2013/12/14/hackerrsquos-playground.html

Here’s some more information which, if it comes to pass, could cause additional ripples. Stay tuned folks – should be interesting.

http://www.networkworld.com/community/blog/why-april-9th-might-be-its-worst-day-2014?t51hb 

And, of course, if you are an Interconnected Technologies client and have Windows XP machines, or have concerns about this event – ask us. If you’re a Managed Services client, we’re keeping on top of your computers. If not, we might want to talk about this in the first quarter!