UPDATE: Microsoft has released a quick fix temp patch https://support.microsoft.com/kb/2757760 Well I already posted this blog, maybe it’s good for a theoretical if this happens again. Also stay tuned for my exclusive “I survived the Zero Day Malware” T-Shirts. They say “Never Forget” on the back 🙂
Thanks to Louie Meraz for help with this blog post
So, as pretty much everybody who works in the IT space already knows there is currently Microsoft Security Advisory in regards to a vulnerability in Internet Explorer version 6,7,8 and 9. It seems like a security flaw which can be exploited to execute some malware on your end user devices. Currently the Microsoft suggestion is to use the Enhanced Mitigation Experience Toolkit (https://support.microsoft.com/kb/2458544) This is a pretty cool security tool that allows you make your applications that bit more secure. Microsoft is also suggest setting your Internet Security Options to High.
Problem with that is if your web applications have not been previously mitigated to work with high security settings there’s a good chance your web applications will become unusable.
You also should know as my friend Louie Meraz found out today, that when deploying EMET to machines that are currently encrypted with Bitlocker you’ve got a problem! The following is an excerpt from the EMET User Guide:
Modifying the system setting for DEP changes the boot options for the operating system. BitLocker cannot prevent an attacker from tampering with these options and instead monitors them for change. When they change, BitLocker asks for the recovery key to ensure the changes are legitimate. 31
To prevent BitLocker from continually asking for your recovery key, you will need to disable BitLocker (and decrypt the drive). Afterward, you can re-enable it (and re-encrypt the drive). This will cause BitLocker to record the new boot options.
So if you’ve got Bitlocker out there you’ll have to decrypt and re-encrypt your machines. Then if you don’t plan on leaving EMET on your users machines long term, you’ll have to decrypt and re-encrypt again to remove it!
Another suggestion is to deploy a different browser e.g. Google Chrome, Mozilla Firefox to all your users until Microsoft releases a patch. If your company already has performed due diligence in packaging or sequencing one of these other browsers that could be a good option. Particularly as a streamed App-V application as deploying it to everyone would take 3 clicks and removing it will take 2. Of course this all hinges on your respective company approving the use of these browsers from a security standpoint.
Realistically, I don’t work in security so I may not be the best guy to give advise on this but anyways, it’s my blog so I’ll do what I want. Here’s my thoughts on this. If you’ve got another browser to deploy and a quick way to lock IE. Go for it, if it’s easily implemented, secure and easily reversed you have nothing to lose, go for it!. However, if you don’t have a quick way to get around using IE then I’m not sure EMET and changing the security settings is the way to go. You’ll likely break a lot of your web apps, presumably EMET is not currently in use in your environment either, therefor you should validate and test the package before deploying which could take a day at least! And then you’ll have to roll it back for all users once a patch is released. Microsoft have suggest a patch should be available within the next couple of days. If it was my call to make and it’s not, I would just wait for the patch. Maybe it’s a good thing I’m not a security advisor eh?