Microsoft currently distributes Internet Explorer 8 yet Internet Explorer 6 accounts for 15% to 25% of web browser use. Many organizations choose to live with the increased security risks rather than bear the costs of upgrading their custom web applications that depend on IE6 features not found in IE8. The enterprise can have their backwards compatibility and security too.

Malicious Websites Drool When Visited by Internet Explorer 6 Browsers

- AOL SuperBuddy ActiveX Control Code Execution Vulnerability.
- NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow.
- Yahoo! Messenger ywcvwr.dll ActiveX Control Buffer Overflow.
- Yahoo! Messenger ywcupl.dll ActiveX Control Buffer Overflow.
- Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow Vulnerability.
- Real Player IERPCtl Remote Code Execution Vulnerability.
- GOM Player GomWebCtrl.GomManager ActiveX RCE Vulnerability.
- Aurigma Facebook Image Uploader ActiveX RCE Vulnerability.
- Real Player rmoc3260.dll ActiveX Control Remote Code Execution Vulnerability.
- CA BrightStor ARCserve Backup ActiveX Remote Buffer Overflow Vulnerability.
- Microsoft Works ActiveX Control Remote Code Execution Vulnerability.
- Ourgame GLWorld GLIEDown2.dll multiple RCE Vulnerabilities.
- Creative Software CTSUEng.ocx ActiveX Control RCE Vulnerability.
- Microsoft Access Snapshot Viewer ActiveX Control Vulnerability.
- Sina DLoader File Download Vulnerability.
- Windows Media Encoder (wmex.dll) ActiveX Vulnerability.
- IE RDS ActiveX Vulnerability.
- IE WMIScriptUtils createObject vulnerability.
- IE WebViewFolderIcon vulnerability.

Thanks to the good folk at Finjan, the above is a ‘menu’ of sorts that a malware attack webkit called “Unique Pack” served earlier this year. Essentially, when an Internet Explorer 6 web browser visited a malicious website powered by the “Unique Pack” webkit, the visiting Internet Explorer 6 web browser was silently and systematically exposed to all of the above attacks until one was successful. At the time, the equivalent lists for the newer versions of Internet Explorer were considerably shorter.

This is due to the fact that Microsoft has added mechanisms for more effectively containing malicious content. For example, “Protected Mode”, introduced with version 7, introduced some sandboxing technology. On Windows Vista and Windows 7, these newer applications deliver address space layout permutation (ASLP) and data execution protection (DEP) that make it far more difficult for attackers to infest a PC. Other security features added since Internet Explorer 6 reduce exposure to attacks, such as blacklisting known malicious websites. Considering the vast potential for highly critical vulnerabilities that attackers can exploit in the interfaces among Internet Explorer and plug-ins, Microsoft undoubtedly focuses the majority of its testing on the newer Internet Explorer.  Internet Explorer 6 represents a major security risk to the enterprise compared to the latest browser from Microsoft.

Deploy Two Additional Web Browsers and Place All Three ‘Under Guard’

Organizations running mostly Windows XP machines are far more at risk than those running Windows Vista or Windows 7. Fortunately, the total solution outlined here levels the risks so enterprise planners can take their time replacing Windows XP with a newer operating system.

Step 1. Limit the exposure of the vulnerable Internet Explorer 6 through registry or group policies that white list your custom web application servers. This makes the browser useless for other servers, leaving it nearly pristine when it visits the private servers hosting your custom web applications.

Step 2. Deploy one or more other web browsers. Consider deploying two web browsers: one for personal and the other for business use. Instruct employees that they can do what they please with their personal web browser and that they must keep business web browsing separate.

Step 3. Deploy AppGuard Enterprise or EdgeGuard, placing all three web browsers and other at-risk software applications under guard. These advanced computer protection security software solutions kill the malware attacks the successfully elude legacy security software every day.

Step 1x: If your organization lacks the ability to implement registry or group policies to restrict usage of the vulnerable Internet Explorer 6 web browser, and/or there are numerous non-Windows domain computers in use, you may use EdgeGuard to implement registry policies that limit Internet Explorer 6 to accessing only your customer web applications. Similarly, you can also use EdgeGuard to lock-down the designated ‘business-only’ web browser such that it cannot access common personal websites such as Facebook, MySpace, etc.

Posted: Monday, August 31st, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback