We’ve got a team of analysts working on a broader event research note that will be published shortly. What I wanted to discuss here is “so what do I do if my organization is using IE?”. Longer term, there are three key takeaways from the recent events:
Lesson #1 – Run more users as standard user. I’ve said it here and here and most recently here again. This has got to be a top priority initiative in 2010. Use the migration to Windows 7 as a catalyst if this is planned for this year.
Lesson #2 – Get off of IE6 ASAP. I don’t care if this is to Firefox, Chrome, Safari, Opera, IE7 or IE8. Get off of IE6 in 2010. Use the migration to Windows 7 as a catalyst if needed for budget and resources if this planned in 2010.
Lesson #3 – Use defense-in-depth at the endpoint. If you are planning on Windows 7, make sure some of the defense-in-depth capabilities if the OS are turned on in your master image. Technologies and techniques like Address Stack Layout Randomization (ASLR) and extending data execution prevention (DEP) into the browser are discussed in detail in this research note. Note that DEP applies to XP SP2, SP3 if used with IE8 as well. Other clients using third-party host-based intrusion prevention solutions like Cisco Security Agent or McAfee HIPS have additional protection
What to do short term? Back to the compromise at Google. Reports indicate that Microsoft has confirmed an IE vulnerability was involved in the Google attacks. Microsoft’s Security Advisory provides more information about the vulnerability here.
What can you do now if you are worried about IE6 until the patch is released by Microsoft? In addition to Microsoft’s guidance in the advisory, there are several alternatives we discuss with clients, but one option is to run IE6 from a terminal services or hosted virtual desktop (VDI) session where the session is restored back to a known good state after each use.
Category: Application Security Endpoint Protection Platform Microsoft Security Tags: Best Practices, Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Microsoft, Microsoft Security, Security No-Brainer, Windows