Monday, April 28, 2014

If you lived here, you'd be home now - thoughts on the Internet Explorer 0-day vulnerability


Growing up around Boston, I remember seeing the famous billboards for the Charles River Park apartments: "If You Lived Here, You'd Be Home Now".  These signs were placed strategically, almost sadistically, on Storrow Drive where they were seen every day by the thousands of motorists trapped in rush hour gridlock.  This morning, as IT departments scrambled to react to the Internet Explorer 0day vulnerability, I couldn't help but think about that devilish piece of advertising.

This critical vulnerability in all versions of Internet Explorer was discovered by FireEye "in the wild". When a vulnerability is found being actively exploited like this, there is no time for the vendor to prepare a patch -- the only responsible course of action is to follow the dictates of military journalism: "Maximum disclosure with minimum delay". This resulted in Microsoft publishing its security advisory on a Saturday, while its engineers were still feverishly working on a patch.

Monday morning dawned with no available patch for this issue. The US and UK governments (and most IT departments) published guidance saying to avoid using Internet Explorer until a fix becomes available. Presumably, FireEye's excellent technology can be configured to block this attack, but edge-protection technologies only protect users while they are on the corporate network. Anyone using a laptop from home, a hotel, or a coffee shop is still wide open to attack.

What else can be done at this point, without a patch? A lot, as it turns out! Organizations who have done a good job at deploying Microsoft EMET (Enhanced Mitigation Experience Toolkit) on their desktops are protected in large degree from this 0-day attack. EMET is a free tool that provides system- and application-level control over exploit mitigation settings such as DEP and ASLR. While the exploit does attempt to bypass DEP and ASLR (and possibly EAF mitigation), FireEye confirms that systems with EMET 4.1 and 5.0 were successful in blocking the exploit in the wild.

Situations like this are exactly why Rapid7 features EMET deployment as an integral part of our Desktop Recommended Controls in our ControlsInsight product. You can't get a passing grade in ControlsInsight unless EMET is not only deployed to endpoints, but is also configured correctly and actually running. We don't believe that EMET is a panacea, but we have seen time and time again situations where the first few versions of an exploit are blocked by EMET, giving organizations precious time to obtain and deploy a patch in production. Sometimes, all you need is a couple days -- even a few hours of protection can make a big difference in your ability to react and respond to a new vulnerability.

Too many organizations confuse "vulnerability management" with "patch management". There is a LOT more to successfully managing vulnerabilities than simply playing whack-a-mole with known patches. A good vulnerability management program will include a careful of assessment of key controls such as desktop and server hardening, browser and browser plugin configuration, least-privilege settings, antivirus, and exploit mitigations such as EMET. As with any controls assessment, it's not enough to say "We have antivirus installed" or "We have EMET installed" - you have to validate whether AV is installed, up-to-date, and running.


If you came into work this morning knowing that EMET was deployed and properly configured enterprise-wide (and you could prove it), you probably had a very different set of conversations than everyone else who was scrambling to react to this unpatched vulnerability. In other words "If You Lived Here, You'd Be Home Now." :-)