Blue Coat Labs

Labs Blog

Protecting Your Organization’s Web Browsing from the New Internet Explorer Vulnerability

Protecting Your Organization’s Web Browsing from the New Internet Explorer Vulnerability

Tim Chiu

On Saturday, April 26, Microsoft announced that users of Internet Explorer (IE) versions 6 through 11 were at risk in a newly discovered vulnerability that allows drive-by attacks from malicious websites to gain control and hijack the user’s Windows-based computer.  The new vulnerability, identified as CVE-2014-1776, allows an attacker to execute arbitrary code as the current user, and affects all current versions of Windows capable of running these IE versions, including Windows XP, which won’t be getting a fix for this issue, as support for Windows XP ran out 3 weeks ago.

For now many leading security vendors and advisors, including the U.S. Department of Homeland Security are recommending users forgo using IE until Microsoft comes out with a patch or fix.  That’s easy to recommend, but how are IT administrators going to be able to enforce this restriction on users in their networks?

If the IT administrator is using Blue Coat’s ProxySG Secure Web Gateway solution, the fix would be relatively easy.   ProxySG offers granular policy capabilities, including the ability to restrict who can browse the web based on browser type and version.  In this case it would be easy enough to prevent any user using IE browser versions 6 through 11 through policy.  For an added level of convenience it’s also possible in ProxySG to display a coaching web page for users of vulnerable browsers, explaining they are using a browser with a security issue and asking them to switch to a different browser to view the web. Once a patch is released, this coaching page could include information about how to download the security patch.  For more information on creating a coaching policy and coaching page, see the Knowledge Base article KB1490.

ProxySG allows policy to be set based on the browser type and version, also referred to as the user agent.  This policy is simply set in the Visual Policy Manager (VPM) through a Graphical User Interface (GUI), which allows for relatively sophisticated policy inside a GUI.  If a business finds itself in need of even more complex policy, ProxySG also supports a Content Policy Language (CPL) that allows for highly customizable policy rules.

To create a simple policy blocking use of IE, open up VPM and click "Policy" followed by "Add Web Access Layer".  Once you've added the "Web Access Layer", click on “Add Rule”. Then , right-click over the “Source” setting of the new policy rule to create a new object. Click “Set” in the menu that appears as below:



Once you’ve clicked on “Set”, you’ll get a pop-up menu that says “Set Source Object”. In this dialog box, click on the “New…” box to choose a type of object to create policy around.




In this case, select “Request Header…”, which will bring up a pop-up box titled "Add Request Header" 


Select “User-Agent” for the “Header Name” we’ll match against, and under “Header Regex”, enter

(MSIE.*; Win)|(Windows.*rv:11.0)

as shown above, and click “OK”.  This snippet of "Header Regex" will match all versions of IE including IE11.  Make sure the acti​on is set to “Deny” and you’ve now created the rule to take care of all versions of IE.    Click “Install Policy”, and you’ve now made this policy go live.

If you’ve been paying careful attention you’ll note that the regex that we used has two parts, the left and right sections of the expression separated by a "bar".  The left hand side takes care of all versions of IE up through version 10.  The right hand side takes care of IE 11, the latest version of Internet Explorer.  The reason there’s a need for two expressions is that in IE 11, Microsoft chose not to use “MSIE” in the user agent string, so there’s no way to match easily for IE11 using user-agent (For more information on detecting IE11 as a user-agent, see the Knowledge Base article KB6001).  Instead, to match for IE11 we have to use other strings in the Request-Header. 

With the flexibility and ease of policy within ProxySG, you can ensure your users are using a safe browser, at least until the next vulnerability is discovered.

If you haven’t yet gotten around to implementing policy to prevent vulnerable browsers from accessing the internet or if you’re currently not using Blue Coat ProxySG, but are instead using a product that uses our Webpulse Global Intelligence Network, you can be assured that Blue Coat’s WebPulse has been blocking known malware threats.  If you’re also a user of ProxyAV or Content Analysis System, you’ve been scanning for malware for any user-initiated downloads as well. 

And finally, if any user does happen to get infected, the Blue Coat Security Analytics Platform provides the ability to research and determine who has been infected and determine the source of the infection. 

It seems like a new vulnerability is found every day.  If you’re using Blue Coat ProxySG, make sure you’ve protected your users by using the policy we’ve outlined above.   It’ll give you one more layer of protection in today’s threat-laden world.