Stop Using Internet Explorer! That’s the advice that the United States Department of Homeland Security’s Computer Emergency Readiness Team (CERT) are giving their citizens. The United Kingdom National Computer Emergency Response Team, known as CERT-UK are recommending that UK citizens do likewise.
The issue is a flaw, referred to as the Zero Day flaw, which affects Internet Explorer versions 6 through 11. It allows hackers to remotely execute code on your computers. This allows the hackers to install malware on your computer without your consent or knowledge. This malware then allows the hackers to steal personal data, gain control of your computer, or track your online usage.
The actual CERT advisory states:
“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.
US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft’s recommendations, such as Windows XP users, may consider employing an alternate browser.”
The flaw was discovered by the security firm, FireEye, this past Friday. FireEye said the vulnerability was especially significant as it targets more than a quarter of the browser market.
It appears that, at least for the time-being,
In its advisory, the security firm explains, “Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market.”
The group responsible for the threat, Advanced Persistent Threat (APT), has launched browser-based attacks in the past.
FireEye analysts say that the exploits by APT are “…extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
As of this writing, Microsoft has yet to release a patch to fix the exploit. They have, however, issued Microsoft Security Advisory 2963983 which provides users a number of mitigation actions as well as workarounds.
Some of these workarounds include installing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) 4.1, setting IE Internet and Local intranet security zone settings to “High,” unregister vgx.dll, and a host of others. All of the workarounds have negative impacts such as “Applications that render VML will no longer do so.”
Windows XP users are not likely to receive a patch as Microsoft dropped all support for Windows XP as of April 8th of this year.
Regardless of what version of Windows you currently use, we highly recommend that you immediately stop using Internet Explorer (why haven’t you before?), switch your browser of choice to Google Chrome or Mozilla Firefox. If and when Microsoft does release a fix for the flaw, it’s highly recommended that you still not use IE and continue to use Chrome or Firefox for your web browsing.