A critical cumulative security update for MS Internet Explorer was released yesterday (March 30) as noted in security bulletin MS10-018. This patch deals with 10 (count 'em, TEN) additional vulnerabilities within the browser, 9 previously undisclosed and one that was made public. The one known vulnerability is specifically for IE 6 & 7, although the patch in general is advised for IE 5.01 through 8, and while MS rates this security patch as "moderate" for IE 8 on servers, why would you take a chance these days?
What are the Risks?
The known vulnerability for older versions of IE, referred to by the Common Vulnerabilities and Exposures group as CV-2010-0806, was first described in an older Microsoft Security Advisory and is a vulnerability that could allow remote code execution; as for the impact of the rest of the undisclosed vulnerabilities, Microsoft states the following:
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Microsoft rates this patch from important to critical, depending on your desktop version of the browser. If you are leveraging automatic updating, this patch will get pushed to your end-users' desktop systems; if you manage your updates, be aware of this one and take the actions you judge as appropriate for your organisation to ensure servers & desktops using Internet Explorer are protected.
This security flaw in the code for the browser seems to be oriented again around risks developing from phishing type attacks. IT managers & IT security professionals have to take this account in understanding the risk level and possible next steps. Applying the patch seems to be a given, looking at changing the default browser used in your organisation - well I'd be surprised if you weren't already considering that but there are usually many ramifications associated with that, including end-user training and most commonly used sites & applications.
Let's face it, for most of us there's just no getting away from IE completely.
This also brings forward the considerations around the social engineering side of the issue and how much of that we can control by managing where our users can go to on the Internet, and caching/pre-qualifying sites before users first access them.
In the meantime we contain what we can by educating our users, protecting the network as best we can without crippling the users, and staying as well informed as we are able. Hang on folks, this is going to continue to be a bumpy ride; hopefully I and other like-minded professionals can keep you educated on what is happening beneath the hype.