Security's Everyman

Security's Everyman

Tuesday, September 26, 2006

IE Patch

The big talk lately is the IE VML vulnerability that has many shaking in their boots, and rightfully so. IE has huge market share at work and home. What is also worrisome is that porn and gambling sites also have huge market share at work and home. These are the places that lots of malware live. Unfortunately, it seems, that even "trusted sites" are becoming infected at pretty alarming rates. You never know where you will get hit.

Microsoft is dragging it's feet on releasing a patch. The give "workarounds" that most people won't apply because they either don't know about it, don't think they are vulnerable, or are too afraid that they will mess up their computer. My favorite is when Microsoft says that users just need to avoid going to sites that are likely to have the malware on them. Like those who do this are going to wait a month before getting their internet porn fix just so MS can get a patch out.

Now there are at least 2 third party patches out. Zert and eEye both have released a patch that will fix this. I applaud them for being willing to step up and fill in the gap that Microsoft has left, but I have severe reservations about using either of these myself. For one I don't know how the patch will affect my system and if it breaks it will MS support me? What about my apps? How will this patch affect my applications? Especially those that rely on IE functionality. Who will support me if one of these breaks because of the patch? If it was just my personal system at stake I would be a little more willing to try something like this, but when it comes to corporate resources I can't take chances such as this. Now comes the dilemma. What about the chance that we take that someone (or many) will visit a site that has been compromised? I know that I have users who visit porn sites at work and at home with company laptops. How do I know if they have been hit? How do I convince management that this, or something like it is serious and likely to happen? Small company politics and a history of very few problems have made them complacent. I have one user that I'm highly suspicious that he has been hit. Maybe not by the VML issue, but something. His IE history is full of porn sites and he is having some "odd" issues. I can't do anything about it (except waste time trying to fix it) because it's his personal laptop and he has been given permission to use it for work. (Luckily in recent days I have been able to get a new policy in place for new personal laptops that gives me some teeth to growl with. Unfortunately this doesn't apply to previous personal laptops).

All that said I have my own patch and work around for the VML vulnerability. I don't use IE unless I absolutely have to. I'm a FireFox fan and only use IE when the site requires it. Even then I lock it down tight.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.