This morning, going through the morning news, sipping on my coffee and listening to trance music, I saw several articles that are pointing out a new 0-day vulnerability in IE8. This 0-day also has functional code that is publicly available. Not only that, but it’s now in the metasploit framework. I did what I always do when I see 0-day announcements, I looked for the mitigating factors. You know, those compensating controls or actions you can take that will mitigate your risk.
Reading the TechNet Security Advisory 2847140, I read through the list:
- By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
Looking through the list, the first one says there is Enhanced Security Configuration, but it’s not present on Windows XP/7 from my initial search. So, on to the next one.
Well, that’s good. It can’t be exploited through email if you didn’t change the default security settings; but it can still be exploited through a web-based attack scenario. Okay, not feeling the warm and fuzzy feeling of my security blanket. What about the next one?
Really? A user whose account is configured to have fewer user rights on the system could be less impacted? Well, I’d hope that was an ‘obvious’ control for all threats. Granted, the number of users who log in with local administrative credentials or permissions is staggering. Still no warm and fuzzy feeling.
Come on last bullet point! Don’t let me down….
Did you read that last bullet point? Let me highlight one very important part: In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
What does this mean you say? This means that of all of the mitigating factors and compensating controls, User Security Awareness is what may very well keep your company safe and secure! It’s right here folks. It boggles the mind why in this day and age, companies and certain people like Dave Aitel and Bruce Schneier want to obliterate a layer of your defense when it’s the one single layer that may save you from 0-days.
Now don’t get me wrong. I’m not saying that Security Awareness Education will be the end all solution. But it is a layer. When your technical layer (blinky box) and your software layer and your IDS/IPS all fail because of an unknown, the last layer of defense is often the user staring at the phishing email. When we create an environment where people are actively rewarded and given an incentive to identify things that are ‘out of the ordinary’ in any area of technology, it strengthens this security layer. In this case, your blinky box just won’t save you.
You need your users on your team!