HP’s Security division is constantly publishing developments on breaking vulnerabilities.  As evidence of these efforts and prompt response, HP’s firewall technology brand TippingPoint has developed and published the details of a pair of filters using its technology to protect against the major Internet Explorer vulnerability that emerged over this past weekend.  The rapid development and deployment of this fix should prove quite useful to its many enterprise customers that are possibly affected by the still-unpatched vulnerability that includes several major versions of IE.

When the vulnerability was first announced, researchers at security company FireEye disclosed that a number of targeted attacks had been observed in the wild, attributed to a known cybercriminal group. As this sits in an unpatched state for a number of days now, there is potential that the exploit for the vulnerability may have spread.  Even further, the exploit may have a greater effect on many numbers of systems still uncounted.  HP’s ability to utilize additional measures to counter the vulnerability and exploit is quite critical until Microsoft releases its own patches for IE.

An HP blog post details how TippingPoint researchers quickly developed this stopgap measure, with early detailed knowledge provided by Microsoft:

We received some early detection guidance from Microsoft, and spent the evening Saturday developing two filters to address this attack. …..In order to provide the most complete coverage for this vulnerability, our security researchers analyzed the proof-of-concept file from Microsoft and made a number of modifications to it. This included trimming the attack down to its essential elements needed to cause the crash, modifying which objects and methods were critical to the bug, and addressing multiple ways of triggering the vulnerability.

The filters for HP TippingPoint are labeled by the company as 13902 and 13903.  13902 is a vulnerability filter designed to have minimal false positive potential and is targeted at the root underlying vulnerability.  13903 is an actual policy filter, meaning it controls what users are allowed to do outbound from an organization.  This filter is designed to detect the use of Vector Markup Language (VML), which is a critical component of the vulnerability that could be used in a potential exploit.

The measures come at a critical time as the unpatched state of this vulnerability means significant risks to the enterprise at large.  Undoubtedly, IT departments throughout the land are racing to modify workstations to modify and minimize impact.  For many organizations, that is a time-consuming task that could project out over several days and beyond.

Major US-CERT alert

The issue is critical enough that the Department of Homeland Security’s (DHS) US-CERT (United States Computer Emergency Readiness Team) has publicly advised againstusing Internet Explorer until a patch is developed and deployed:

The CERT/CC (CERT Coordination Center) is currently unaware of a practical solution to this problem. Microsoft Security Advisory 2963983 has provided several workarounds.

HP’s TippingPoint team has released this immediately and asks that customers that experience hits on this specialized filter 1390 to contact the HP TippingPoint Technical Assistance Center (TAC).

photo credit: Yuri Yu. Samoilov via photopin cc