Microsoft releases security patch for Internet explorer. Update now.

in Security Alerts for BU
May 1st, 2014

Today Microsoft has released an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Microsoft Security Advisory 2963983.  (Details below).

The new security update MS14-021 – Security Update for Internet Explorer (2965111) is fully tested and ready for release for all affected versions of the browser.

By now you may have heard that US-CERT and an number of other large security organizations are recommending people stop using IE for a while until a security issue is resolved.

Security issues are discovered on a daily basis and, while we always need to act with an abundance of care and caution, we also need to really think through how we respond to events such as this.

The issue in the article above is serious, but it is also something that requires a user to go to an infected web page in order to exploit.  If the person is going to web pages that they always go to – web pages associated with their normal business and life – the risk should not be too great.  As a practical matter, there are many web sites that don’t work properly on anything other than Internet Explorer, so the advice of “stop using Internet Explorer” really has little practical value for many people.  Rather, we should look to provide guidance on how to reduce the risk generally speaking and particularly until the patch for this is released.

A counterpoint to the above story is a recent report by an independent lab, NSS, that showed IE as being far and away the most effect at blocking tested malware at over 99%, with Chrome at 70% and Firefox and Safari a dismal 4%.  But these results are always changing as the focus of the bad guys change to take advantage of different things, to keep people guessing.  So this new issues hits and for the moment IE is in the spotlight.

One thing that you definitely need to do is stop using XP.  It is no longer under support, more and more exploits will be hitting the wild from now on and no one will be releasing fixes.  Once you machine is breached, it will stay breached, and that will happen very quickly.

However there are several things that you can do to protect yourself again this particular issue and many others and still continue to use IE.  Microsoft outlines a few of those here, but to summarize, the article suggests setting IE up in “Enhanced Security Configuration”—something that is good security practice anyway.   These are the general steps:

  1. Go to IE > Internet Options
  2. Click on the Security Tab
  3. Ensure that the following levels are set for each zone:
  • For the Internet zone, the security level is set to High.  This will mean that any site you browse to that is not in your trusted sites category, will be prohibited from running scripts and dynamic content.  This will protect you from a large number of threats out there, but it also means that most of the sites you normally use will not work correctly until you put them into trusted sites
  • For the Trusted sites zone, the security level is set to Medium, which allows dynamic content and normal operation of most Internet sites.
  • For the Local intranet zone, the security level is set to Medium-low, which allows your user credentials (user name and password) to be sent automatically to sites and applications that need them.
  • For the Restricted sites zone, the security level is set to High.
  1. You will then need to add the sites you normally use and trust to the Trusted sites zones so that they will work properly.  This takes some time to set up the first time, but once you have done so, you will be much more secure moving in to the future.

Quinn R Shamblin                                                            .

Executive Director of Information Security, Boston University