OMG the zero-day browser exploit has struck - what now?

Date: 20 September 2012 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16355 This week's announcement from Microsoft of an unpatched, remote code execution vulnerability in versions 6, 7, 8 and 9 of Internet Explorer certainly prompted some thinking within AusCERT's CC Team. In lieu of a patch, what can organisations do to protect themselves against a compromise, without impacting their users' ability to perform their job? In ASB-2012.0128 we suggested a number of potential mitigations, many of which required some proactive steps to have been executed prior to the announcement of a vulnerability. We'd like to expand on these a little - perhaps you're thinking "I'd like to be ready for the NEXT unpatched vulnerability in my organisation's chosen web browser". First, before any technical discussion occurs, let's talk about how your organisation would react if a compromise occurred. Did you dust off your incident response plan on Tuesday when you heard the dreaded "zero day" news and does this incident response plan form part of a higher level contingency plan? For example, how well can your organisation reduce the effects should a vulnerability be used against you? Are users educated on safe browsing practices and are you able to recover systems in a timely fashion? Do you have roles and responsibilities defined? This is not an exhaustive list, however the key message is not just to try and block an attack, but to be prepared to reduce the impact should an attack be successful. The Australian Government Information Security Manual (ISM) can be equally relevant to government and non-government entities and there are some example incident response and contingency planning documents available on the US National Institute of Standards and Technology website. The AS/NZS ISO standard 27002:2006 Code of practice for information security management includes a section specific to business continuity within information security. Now let's move on to possible tactics for mitigation of the present IE vulnerability. Even in an emergency it isn't practical to simply switch off users' web browsers, however you can prepare to use a reduced (and hopefully safer) portion of the Internet to allow continuity for your users. We suggested in ASB-2012.0128 that you could use a pre-defined list of "business related Internet sites" to reduce the surface exposure of Internet Explorer. You could implement this in a number of ways, the easiest of which is your organisation's content filter. Use the pre-defined categories within the product, or better still list out each external site your users require for critical business functions. Your business continuity team will probably have this list already. It's then a simple matter of making a quick change on your content filter to block all except your business related sites list. This has the positive side-effect of blocking advertisements which load up in panels within trusted sites, through which compromises may otherwise have occurred (such as an ad-server turned malware-server). You can further extend this theory and use the security zones within Internet Explorer. The Internet Explorer Administration Kit allows for organisation-wide deployment of settings you wish customise within Internet Explorer. After appropriate risk/threat analysis your organisation could change the zone settings within Internet Explorer to apply more restricted controls to untrusted sites, whilst continuing to allow (for example) scripts to execute on business related sites that your organisation trusts. Microsoft also offers the Enhanced Mitigation Experience Toolkit to apply granular mitigations to software without the need to recompile from source code. Microsoft's blog on this topic explains this technique further. We acknowledge no software product is completely without faults, however the best mitigation for this week's 0-day vulnerability in Internet Explorer is simply to use a different browser until an appropriate patch can be deployed. This is potentially far more complex than it sounds - for example your organisation may require complete testing across all business critical web sites on the chosen alternative browser. Still, it is not impossible and preparation in advance is the key. For an Enterprise that uses Active Directory, deployment and patching of Firefox is possible by using the Firefox MSI from FrontMotion and an appropriate group policy to deploy. Current and ESR (Extended Support Release) versions of Firefox are available. For more information, see the deployment guide for Active Directory and the FrontMotion Firefox MSI page. Regards, The CC Team.