Even the U.S. and UK Governments say stop using Internet Explorer
Microsoft has issued a warning regarding a recently-discovered zero-day flaw in Internet Explorer, and even the U.S. and UK governments advise consumers to stop using the browser.
This severe vulnerability is the first one to be discovered after Microsoft put its old Windows XP to bed, and affects all versions of the software starting with Internet Explorer 6. This means that all subsequent versions - IE7, IE8, IE9, IE10, and IE11 - are affected as well, not just IE 6. If exploited, the vulnerability could allow for the remote execution of code, posing serious risks.
"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft explains. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
In light of these findings, the United States Computer Emergency Readiness Team - US-CERT and its UK counterpart - UK-CERT - have issued warnings themselves to advise users at risk.
"US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution," reads a warning. "US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser."
According to Microsoft, however, the vulnerability is not that easy to exploit. In order to exploit it via the web, an attacker would need to set up a specially designed website containing code, and would also have to convince people to access the website. Even so, the company still strongly recommends that all users run an enabled firewall, apply all available software updates, and install reliable and efficient anti-malware software to protect their machines.
While it is highly advisable to use an alternate browser, those who still want to use Internet Explorer can at least reduce the risk by taking some precautionary measures. For instance, Internet Explorer in Windows Server versions 2003, 2008, 2008 R2, 2012, and 2012 R2, runs in a restricted mode by default. This Enhanced Security Configuration can significantly reduce the risk of exposure to the flaw. Similarly, Microsoft Outlook, Outlook Express, and Windows Mail also minimize the risk by opening HTML email messages in the Restricted sites zone.
As far as actually solving the issue goes, currently there is no fix available. Microsoft said that a solution may arrive either via its monthly security update release, or through an out-of-cycle security update. The company has yet to provide a date for when a patch will become available to solve the issue.
As expected, Windows XP users will not receive any patch to fix this vulnerability, as Microsoft has ended all support for the old OS earlier this month. For other versions of Windows, use an alternate browser until Microsoft issues a patch.