Ensight – Jeremy Wright

Here at work we have a corporate auditor. He’s really great at bringing up sticky, needly, uncomfortable issues (which is what auditors should do). Recently he’s been making noise about the whole IE issue.

The following is exerpts of my response to him:

The security issues with IE are real. In my consulting with various companies around the world on this issue, my basic stance has been to ask:

1. Is it feasible or possible to switch off of IE across-the-board?
2. Is maintaining IE security something the organization is prepared to do?

Before I get to that, I want to cover the few issues you’ve identified over the last week, most notably:

SHELL.APPLICATION (despite what you may have read, this is different from the download.ject issue, as it’s a more global fix, whereas download.ject is only for the current issue)
ADODB.STREAM
DOWNLOAD.JECT

For each of these issues, the guidance from Microsoft is similar (see here: http://www.microsoft.com/security/incident/download_ject.mspx):

1. Install the update
2. Lock down IE
3. Lock down MDAC
4. Check your IIS machines

We do all of these on a regular basis as it is right now, which is why the short version of my personal position between staff members here at C&IS is “this is a non issue”. That said, every security issue needs to be treated as critical, so let’s get to the realities of HSC’s current situation:

In my understanding of HSC’s systems, an overall switch is not feasible or possible. Too many of the applications we use on a daily basis (WebCT and Facilities Management apps come to mind) require things like ActiveX, VBScript, etc as a core part of their operation. As such, our options are limited to: switch and bear the consequences, switch partially and have to support IE anyways (see point 2 in a second) or don’t switch at all 9see point 2 in a second). Because I do not feel that we can simply switch and bear the consequences (most of these apps are internally written, and I don’t believe we have the resources to redevelop them); the only real option is not to switch.

The second issue is are we prepared to continue maintaining IE. The steps to maintain IE are fairly clear:

1. Ensure updates are tested, approved and rolled out
2. Ensure the LMZ (local machine zone) is properly implemented
3. Ensure “core components” (MDAC, ActiveX, WSH, etc are properly locked down and patched)
4. Ensure IIS usage is kept to a minimum (for IIS 3-5) and patched (for all versions of IIS)

While I would love to say that we are doing a perfect job of this, I can’t. I can say that our security efforts in this regard have increased drastically with the usage of SUS to automatically update clients, the usage of regular scans of our networks both for vulnerabilities in general and for workstations, and scans of Microsoft software.

I’m sure you already read a number of sources, however http://channel9.msdn.com is a fantastic source of ‘inside’ Microsoft information. It’s one of the ways I’ve gotten to know the heads of Security, the Microsoft Security Response Centre and most of the Microsoft product teams. When issues like this come out, Channel 9 allows you to get the scoop directly from the horse’s mouth (like here: http://channel9.msdn.com/ShowPost.aspx?PostID=11308).

My apologies on the length of this, it was my intent to try and keep it short and simple, however the issues at hand are neither short nor simple.

To try and summarize where I feel we stand right now in relation to Internet Explorer:

1. Our environment, as it stands, protects us from all but the ‘browsing related’ bugs, by default (with the exception of malicious intrusions)
2. We are currently engaging in an active, and automatic, campaign of patching our workstations
3. We are considering rolling out the registry patches to our computers on top of these mechanisms

At the end of the day, I do not (personally) feel a widespread switch away from IE is feasible. As a result, we still have to support it, and our best efforts so far, while not ideal, are a very big step in the right direction.

His response?

This is great stuff and summarizes HSC’s position.

This is a risk analysis that can be referred to, should an event occur, and demonstrates that you were proactive in addressing the risks and other related issues and had taken specific actions to deal with what has become an untenable situation for many organizations.

… That’s just about the highest praise an auditor can give