ALERT: Serious Internet Explorer Flaw Discovered
Security holes in Web browsers are hardly unusual, and Microsoft’s Internet Explorer has had more than its fair share exploited and exposed. But the latest flaw is a doozy so dangerous that governments are urging users to switch to alternative browsers until Microsoft issues a patch. And it isn’t clear when that patch will be issued. Find out what you must do NOW...
Internet Explorer: Unsafe at Any Speed
The vulnerability, reported by security research firm FireEye on April 26, exists in all versions of Internet Explorer from 6 through 11! Yes, it went undiscovered that long; IE 6 was released in 2001, shortly after the launch of Windows XP. The flaw enables an attacker to bypass IE’s built-in protections against execution of downloaded code and manipulate the browser’s memory space to obtain the same privileges on the affected machine that its user has.
Translation: If you run Internet Explorer, this bug could enable a hacker do almost anything on your computer. That's very bad. And you need to take action right away to protect yourself.
A hacker’s exploit that takes advantage of this vulnerability in IE versions 9 through 11 was discovered by FireEye. Although this specific exploit does not affect earlier IE versions (6, 7, and 8), they are still vulnerable to the underlying flaw. But as Ralph Nader might say, ALL versions of Internet Explorer should be considered "unsafe at any speed" until this problem is resolved.
Here's an even bigger surprise: the fix is available for Windows XP. Microsoft officially ended support for XP on April 8th, and it was expected that XP users would not get a fix for this critical flaw. A Microsoft rep said that due to the proximity of the discovery of this problem to the XP "end of life" date, and the severity of the problem, they decided to issue what is likely to be the final XP patch.
My advice: Make sure you've got Windows Update turned on and running on autopilot. (Open Control Panel, then "System and Security") Also, if you've already switched to an alternate browser such as Google Chrome or Firefox, consider sticking with it, especially if you are clinging to XP.
The malicious code is embedded in a Flash file that may be planted on a Web site. The malware is triggered when a user plays the Flash file. But keep in mind that even if you if you don’t have Flash installed (or you've disabled Flash), the vulnerability still exists and can be exploited in other ways.
Microsoft acknowledge the vulnerability and “a limited number” of instances of its exploitation on April 27. The company promised a fix but did not specify whether the fix will be issued as soon as it’s ready or on the scheduled May 13 “patch Tuesday” when monthly security updates are made available via Windows Update. Note that there is no guarantee that a patch will be ready by May 13.
Also note that Windows XP die-hards will not get a patch for this vulnerability. All support, including critical security updates, for that obsolete operating system ended on April 8. This is the first time that XP users will remain vulnerable to hackers while users of later Windows versions get patches. (See Windows XP: Game Over)
What Steps Should You Take?
Computer emergency response teams (CERTs) in the USA, UK, and Sweden have advised Windows users to avoid using Internet Explorer until a patch is issued. Popular web browsers such as Google Chrome and Firefox are recommended as alternatives to Internet Explorer.
XP and Vista users can reduce their vulnerability by installing Microsoft’s Enhanced Mitigation Experience Toolkit. (Astute readers will remember that I mentioned this tool recently in Free Microsoft Security Tools.) Also, for 64-bit systems running versions 10 or 11 of IE, there is a feature called Enhanced Protected Mode (EPM) that can be enabled to guard against this vulnerability. Instructions for turning on EPM can be found in the Suggested Actions section of Microsoft Security Advisory 2963983.
Security firm Sophos outlines two more mitigation methods for XP users: turning off Active Scripting and unregistering the VGX.DLL file. Step-by-step instructions are provided by Sophos in its bulletin about the vulnerability.
Whatever you do, don’t do nothing. This vulnerability is actually being exploited “in the wild” right now; it is not a hypothetical danger but a real, active one.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 30 Apr 2014
|For Fun: Buy Bob a Snickers.|
The End of Free TV?
The Top Twenty
Geekly Update - 01 May 2014
There's more reader feedback... See all 31 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- ALERT: Serious Internet Explorer Flaw Discovered (Posted: 30 Apr 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved