Update as of May 1, 2014: Microsoft has released an emergency patch for the Internet Explorer vulnerability. Users should apply Windows Updates and then reboot their computer. Microsoft did release a version of the patch for Windows XP systems. Windows XP users should also apply these updates and reboot.
Microsoft released a security advisory (number 2963983) for Internet Explorer (IE) on Saturday, April 26, 2014. All current IE browser versions (6-11) have a security vulnerability being actively exploited by hackers. As a result, people using these versions of IE are at risk of having their computer compromised.
The MSU Police Department and IT Services advise all users of Microsoft Internet Explorer to use an alternate web browser (e.g., Mozilla Firefox, Google Chrome) until a patch is released, with the exception of MSU websites that require IE, such as EBS.
Background
Microsoft Internet Explorer contains a use-after-free vulnerability. This allows thieves to have unrestricted access to data stored on the computer. Specifically, users of Internet Explorer are at risk of having their computer compromised simply by browsing a website which contains malicious programming. The vulnerability allows hackers to easily gain access to computer systems and install malicious software or even change and delete sensitive data stored on the computer.
Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows address space layout randomization (ASLR) to be bypassed via a memory address leak. This is possible because Internet Explorer and Flash run within the same process space as the browser. In addition, the vulnerability allows hackers to easily trick a computer of unsuspecting individuals. Exploitation without the use of Flash may be possible.
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page, an HTML email message or attachment), an attacker may be able to execute arbitrary code to gain access to data on computers, install malicious software, or change and delete sensitive data on the computer.
Proposed Solution
- Use an alternate browser (e.g., Mozilla Firefox, Google Chrome) until patch is released.
- Make sure all computer software is up to date and is utilizing the latest patches or service packs. This includes Windows and Mac OS, Adobe products, Java, and anti-virus signature files such as used in Symantec.
- Do not open URL links or attachments from email that you were not expecting.
- Run an anti-virus scan on your computer (this includes Mac OS computers).
- Consider utilizing a malware scanner on your computer such as Malware Bytes or HitMan Pro and scanning for malware on your Windows-based computer.
- Backup data stored on your computer’s hard drive(s).
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. Note: Platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. This is the first vulnerability confirmed that will not be patched for Windows XP since Microsoft ended support for Windows XP on April 8.
If you have any questions, please contact IT Service Support at (517) 432-6200 or via email at itserve@msu.edu.
Computer Labs Across Campus
The version of Internet Explorer currently running in the IT Services managed computer labs, the public computers in the libraries, and the public computers in the residential engagement centers are vulnerable to this exploit. IT Services has prepared a fix to mitigate the vulnerability. However, due to the potential risk associated with the deployment of this, it will be performed the week of May 5, 2014.
In the meantime, we are advising people using the computers in the labs to refrain from using Internet Explorer unless necessary and recommend using Firefox, which is the default web browser on the lab computers.
Questions concerning the computer labs or engagement center computers, may be directed to IT Services Classroom Support at (517) 353-3960.
Additional Information
Additional information about this vulnerability can be viewed on Microsoft’s TechNet site.
Additional information on how to protect yourself online, including tips to avoid “phishing” attacks, is found on tech.msu.edu/secureit.