Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild

The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505.  Accordingly, we're moving the InfoCon up to Yellow.

Per the advisory:
Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, CVE-2013-3893 Fix It Workaround, prevents the exploitation of this issue. This FixIt solution also includes EMET 4.0 guidance. Certainly consider use of EMET 4.0 where you can.  Please note, the Fix It seems to only help 32-bit versions of browsers. That said the vulnerability affects all versions of Internet Explorer except in instances of Windows Server 2008 and 2012 Core installations.
It appears that an exploit has been in the wild since August 29th, 2013 when it was first seen by one of the online security scanners.  There is some indication that a weaponized exploit may be in broader circulation now, so expect this to ramp up quickly.
Emerging Threats does have Snort signatures available for this issue: Expect Rapid 7 to likely release Metasploit bits in the near term. We'll update here as we see more on this vulnerability emerge.
Russ McRee

204 Posts
ISC Handler
Sep 20th 2013
The / file isn't updating on a status change.

1 Posts
Are you able to send a notification on ?

5 Posts
High Severity
September 20, 2013 21:24
The latest Internet Explorer vulnerability is being used in targeted attacks and it's just a matter of time before larger-scale attacks take place...
19 Sep 2013 - "... The simplest way to avoid this risk is to use a browser other than Internet Explorer..."

34 Posts
The word went out to my users to use firefox (which is installed on all our Windows boxes) instead of Internet Explorer as soon as I saw the yellow...

133 Posts
As earlier mentioned on these pages; just make sure your backup browser is up to par.. Our Chrome was at v26, I'm not sure which evil to choose... ;-(

70 Posts
Please can the on-duty handler update as to why the threat level has moved back to green.

Unless I'm missing something, there it's happened automatically.


9 Posts
We only raise the threat level is there is significant news and "change". Moving back to green means that there wasn't anything else to talk about. The threat remains active, but at this point it is just part of "the internet is broken as usual".

Typically we keep the threat level at yellow for 24 hrs unless there is a new issue or a significant change to the issue that caused the threat level to be raised. In this case, since we raised it at Friday PM (US Time), we kept it up until monday.

4511 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!