On the first day of Christmas, Microsoft gave to me: An emergency patch for IE! Let’s talk about the alarming security hole recently discovered in Internet Explorer, how it impacts our daily operations, and what we can do about it.
Q: How does it work?
A: If a user on a vulnerable system uses Internet Explorer to visit a website that contains malicious code that exploits the vulnerability, that website could run code on the vulnerable computer. The code that’s run on said computer would run with whatever security rights the logged-in user has, meaning it’s a possible vector for Cryptolocker attacks against mapped network drives and/or information disclosure attacks.
A: Don’t panic just yet. Keep reading!
Q: Is there a fix? Is there a workaround?
A: Yes to both. Microsoft’s fixes for this vulnerability are basically re-issued versions of last week’s Patch Tuesday security updates with the IE fix stapled onto the end. We’ve already approved those updates for distribution through our patch management system, and most of those updates went out last night. There’s a potential problem, however, with variants of this patch for Windows 10 (keep reading).
Meanwhile, the workaround is simple: Don’t use Internet Explorer if you can help it. This vulnerability affects Internet Explorer ONLY. Microsoft Edge is not affected and remains safe to use, as do alternate browsers like Chrome, Firefox, and Opera. If you’re contracting with us for update management, we’re also keeping your third-party browsers up-to-date for you. Sending a company-wide e-mail about IE use might not be a bad idea.
Q: What’s the catch?
A: What fun would this be if everything was easy? Patch Tuesday’s security updates for Windows 10 builds 1607 and newer carry a Known Issue with .NET 4.6 (and newer) applications when they run a certain procedure. Since these emergency IE patches are built from those misbehaving updates, they carry the same Known Issue. The technically-minded can read more about this issue here:
There’s really no way for us to know if that’s going to break any line-of-business applications, so we’re withholding the Windows 10 patches from automatic distribution until we can get that sorted out. We do have a number of patch testbed systems in production against which we’re evaluating this fix, plus we continue to confer with industry peers and perform additional research to assess the impact of this Known Issue. Watch this space for updates!
Q: What should we be doing?
A: Again, don’t use IE if at all possible. Make sure your computers are turned on, plugged in to an Ethernet connection, and connected to the internet so our patch delivery systems can deliver updates. As always, best-practices remain in play: Don’t visit websites that you don’t already trust. Don’t run anything with Administrator rights if being a normal User is fine. If you don’t contract with us to manage your backups, double-check to make sure they’re working correctly and that your offsite replication is also good.
In short, “Keep Calm and Compute On”.