Microsoft Warns of Internet Explorer Security Gap
Until Microsoft issues a security fix, I recommend discontinuing your use of Internet Explorer, regardless of version.
A Security Advisory released by Microsoft on April 26, states that the company is “aware of limited, targeted attacks that attempt to exploit a vulnerability” in Internet Explorer versions 6 through 11.
According to the release, the vulnerability would allow an attacker to host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The company is working on a safety fix that it will provide in an upcoming software update. Until then, Microsoft encourages customers to enable a firewall, apply all software updates and install anti-malware software. I encourage you to utilize Firefox, Chrome or another browser.
What to do until Microsoft issues a fix
- As always, don’t click on links unless you know and trust the sender.
- Download the free security software called the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft
- Because the attack will not work without Adobe Flash, disabling the Flash plugin within IE will prevent the exploit from functioning
- According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default. This article show how to enable EPM in IE.
- Security experts say it may be easier to use another browser such as Google Inc’s Chrome, Mozilla’s Firefox or Opera Software ASA’s Opera.