it.ucsf.edu

Security Update: ALL Versions of Internet Explorer Vulnerable to Remote Code Execution (Patch Currently Not Available)

Status Type

Security Update

Date and Time

Tuesday, April 29, 2014 - 12:40

Reason

Security Update

Impact

All Internet Explorer Users

WHAT HAPPENED?

Microsoft disclosed a vulnerability in all versions of Internet Explorer that is being used in "limited, targeted attacks."

Advanced Users: For a complete description of the vulnerability and affected software refer to Microsoft Security Advisory 2963983 at https://technet.microsoft.com/en-US/library/security/2963983.

 

AFFECTED SYSTEMS:

  • Internet Explorer 6 through 11

Note: Windows Server versions on which IE is run in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.

 

WHAT'S THE PROBLEM?

Microsoft is currently analyzing the vulnerability and exploit but has not deployed software update yet to protect users against this vulnerability.

An attacker who successfully exploits this vulnerability could take control of your computer to install programs; view, change, or delete data; or create new accounts with full user rights.

HOW DO I PROTECT MY COMPUTER?

Until Microsoft releases a security software update, the following ‘work around’ solutions should be used:

1. Refrain from using Internet Explorer, unless absolutely necessary.

2. If you’re unable to use an alternate browser (e.g. Chrome, Safari) refer to Microsoft Security Advisory 2963983 at https://technet.microsoft.com/en-US/library/security/2963983 for workaround solutions. Some suggestions include:

  • Installing Enhanced Mitigation Experience Toolkit (EMET) 4.1. EMET helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software. For more information refer to http://technet.microsoft.com/en-US/security/jj653751.
 ITFS Windows XP users already have EMET installed on their computers.

  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

3. Ensure your computer meets UCSF Minimum Security Standards for Electronic Information Resources - /policies/ucsf-minimum-security-standards-electronic-information-resources.

 
RELATED LINKS