Out-of-band update for Hydraq exploit from Microsoft Thursday
In an unprecedented response to the news just last week of attacks on Google's servers, and others, from a sophisticated Trojan first catalogued as Hydraq, Microsoft confirmed to Betanews this afternoon that it will be publishing a security fix for the vulnerability tomorrow, January 21, at approximately 10:00 am PST. The company will issue the update with a "Critical" severity rating.
"Microsoft continues to see limited attacks, and to date, the only successful attacks have been against Internet Explorer 6," the company stated this afternoon. "Customers will be apprised of any changes in the threat landscape through the Microsoft Security Response Center blog, and changes to the advisory [issued last week].
Sophos Senior Security Advisor Chet Wisniewski told Betanews he believes Microsoft's response to this latest Web browser vulnerability was "exceptionally quick" and even, in some regards, "explosive." He noted the company has no problems now with characterizing IE6 as a security threat in itself, especially if it compels customers to upgrade to IE8.
But although the Hydraq Trojan had been rated "low" in severity when it was first discovered by researchers including Symantec earlier in the year, Wisniewski believes that now that the exploit is publicly known, it's only a matter of time before it mutates into something that could impact IE7 and IE8.
The problem, he believes, is despite the fact that it takes as little as two or three weeks to issue a patch, so few users actually download and install it. This was the case with a previous problem: "I think we're going to see [Hydraq] exploited similarly to Conficker," Wisniewski said. "It took three weeks to issue a patch there, but most of the world didn't bite. One year and four months later, some six million computers may be susceptible to Conficker. Now, GM, Boeing, companies like that -- they'll patch. But people aren't bothering to patch."
Wisniewski disagrees with opinions that Internet Explorer should be dumped altogether, citing that in his research, he's learned that as competitive browsers such as Firefox and Safari evolve, they too are becoming more susceptible to threats in their own right -- threats which give them an equal attack surface with IE. What's more, the protections employed by Microsoft for IE8 -- including Data Execution Prevention, and Address Space Load Randomization -- are actually features of the Windows operating system, features which competitive browser makers should be utilizing for themselves as well.
What prevents many companies from switching from IE even if they want to, the Sophos researcher continued, is the fact that migration requires retraining -- and for businesses, that's an expense. For individuals, such as Wisniewski's own mother, it's a point of confusion, especially when everything's located in a different place. After having switched her to Firefox, he told us, she called him one time to claim her connection wasn't working. The problem, he said, was that someone had taken away the blue "e" in the corner.
Wisniewski also refuted the notion that Microsoft was somehow slow in responding to the threat, or was using public relations as a stopgap.