Internet Explorer Zero-Day Exploit

Updated as of 5:30pm Central Time

SANS broke a story this morning regarding a publicly available exploit for an unpatched Internet Explorer vulnerability.  For those of you not hip to all the security lingo – a zero-day exploit breaks down like this:

  • Bad guy code is in the wild
  • Vendor patch is nowhere to be found

While SANS recommends using an alternate browser (not a bad idea for the casual surfer) some businesses rely on web sites and applications that are customized for Internet Explorer.  Given this situation, what tangible things can you do to protect your IE users until a patch is released?  Here is what I’ve found so far in my limited testing of the proof-of-concept code (click this PoC link at your own risk):

  • Mitigation: Disable Active Scripting in Internet Explorer’s Advanced Security Settings
  • Steps: Open IE… Tools… Security Tab… Highlight Internet Zone… Click Custom Level… Scroll down to Scripting section and disable Active Scripting
  • Ramifications: I implemented this setting on my own XP SP2 machine after posting this blog entry, and can honestly say I was surprised at how many sites malfunctioned – or failed completely.  For instance, I spend a lot of time on various Microsoft sites that use Passport.  Forget it – Passport requires Active Scripting.  Bottom line – be careful about implementing this workaround without adequate testing. 

Here is a screen shot of the Active Scripting setting for your enjoyment (click to enlarge):


Note: One thing to be aware of is the negative effect this setting may have on your web applications.  An example is Outlook Web Access – which will not render at all with Active Scripting disabled.  Here is a screen shot of OWA after making the changes above (click to enlarge):


An easy work-around (which you should replicate for all your internal and trusted partner sites) is to add the broken sites to your Trusted Sites list.  This is accomplished in the same area where you set the option to disable Active Scripting… except this time you want to add a site to the Trusted Sites list.  A picture is worth a thousand words – and I’m running short on time:


Finally, all these settings can be configured via Group Policy if you are in an Active Directory environment… or if you use another product like ZENWorks to push Group Policy to your clients.  Here is one more screen shot for you – this is the location to visit if your clients are running XP SP2.  Other OS GPOs will look different.


So, until you see a notice from Microsoft regarding their suggested work-arounds, you can use the procedures in this post to protect yourself from the proof-of-concept code.  With the SANS Internet Storm Center at Yellow Alert, it is only a matter of time before we hear something from Microsoft.  Keep an eye on the Microsoft Security Advisories page for an official announcement.