Lest you think Microsoft has finally plugged the many holes in the S.S. Internet Explorer, Patch Tuesday December includes four critical upates (Microsoft’s “critical” rating means they should be applied immediately) addressing newly discovered weaknesses, including an active zero-day exploit of the OLE (Object Linking & Embedding) platform. This particular chunk of code allows Microsoft apps like Office Word and Outlook to exchange documents between each other: when you insert an Excel spreadsheet into a Word document and it shows up as an editable spreadsheet, that’s OLE at work. In this case, the exploit allows hacked Office documents attached in Outlook emails to circumvent security, typically for the express purpose of installing other malware onto the victim’s machine.
What this means for you:
I can already see your eyes glazing over, and I don’t blame you. Microsoft’s bulletins are making me cross-eyed as well. Here’s what you need to do:
- Make sure your OS is patched. The updates should start arriving on computers as early as tonight. Unless your machine is being managed by an internal IT department and they’ve disabled this functionality, your Windows OS should be set to automatically download and patch all important updates from Microsoft. If you are not sure if your computer is set up this way, you can check by going to Control Panels -> Windows Update.
- If you must use Internet Explorer, avoid using it until you get fully updated with the latest round of patches (see #1). If it’s possible, consider using an alternative such as Firefox or Chrome. While neither is guaranteed free of security bugs, they are still faring better than IE in terms of exploits.
As always, avoid opening strange and/or unexpected attachments. If you regularly exchange documents with others via the internet, consider using a secure filesharing platform other than Dropbox or Drop or any of the numerous clones that offer free apps. Instead, look into options like Citrix Fileshare (we use it here at C2) for a much more secure and fully encrypted way to exchange documents.