Redmond's Butterfly Effect

Most of you have heard of a reportedly widespread compromise of an unknown number of clients through an unpatched vulnerability in Internet Explorer. The clients were owned by visiting commercial web sites that had previously been compromised by a yet undetermined method; the attackers dropping code onto those servers that customers would then launch when the site was visited.

While some speculate that an IIS zero day was used to own the servers, my guess is that the hosting boxes were not patched against a recent vulnerability (something like MS04-11). I would normally say "Hey, you should have been patched" and gone about my business. But this event is a bit different.

Here we had multiple vulnerabilities in IE, at least one spanning back months, which have remained un-patched by Microsoft. The culmination of the vulnerabilities allows for silent code execution on the client box: zones crossed, files downloaded, code executed, boxes owned. Microsoft's own little butterfly effect.

To be quite frank, this really, really sucks.

This event perfectly illustrates points that we in the security community have been making for quite some time -- attacks are getting more and more complex, and attackers are using multiple vulnerabilities to carry them out. It also represents what I consider a flaw in the way the IE security team looks at and rates vulnerabilities. The "mitigating factors" in these vulnerabilities have always been determined by looking at the problems in singularity. Things like "an attacker would have to be able to write files locally" or "this would only work if code was run in the Local Intranet Zone."