Microsoft Corp. issued a warning on Saturday 26th April, about the vulnerability which could allow remote code execution, and this is vulnerability which affects every single version of Microsoft Internet Explorer – their Technet Security Advisory 2963983 can be found here.
There is a lot more information on the zero-day vulnerability in this gizmodo article regarding the vulnerability, but the gist of the article is that there are ACTIVE EXPLOITS making use of this vulnerability – largely targeting MSIE version 9, 10 and 11 – the attack is call the “use after free” attack and is a fairly complex memory corruption – which then allows the attacker to run arbitrary code on the attacked machine.
According to internet security firm FireEye – the percentage of Internet explorer uses is as high as 26% of all internet users – so more than a quarter of all browsers being used on the internet have the potential to fall foul of this zero-day exploit in MSIE.
Gizmodo suggests that as XP is now “end of life” – there won’t even be a patch for this problem coming to an XP machine – as in – EVER… !!
So – if you’re still using XP and you have to use that machine still – then you would be WELL ADVISED – to not use Internet Explorer, but use the latest Mozilla Firefox instead… we actually recommend not using the XP machine to access the internet at all.
FireEye has suggested that running the Enhanced Protection Mode (EMET) in MSIE 10 or higher will prevent your browser being attacked using this method – and also, disabling Adobe Flash will also stop the threat from running on your Internet Explorer.
We suggest Firefox 29 as an alternate browser, at least until Microsoft releases an out-of-cycle patch for MS Internet Explorer. There are at least two other alternate workarounds, or fixes which you could deploy – one, run EMET (Enhanced Migitation Experience Toolkit – as suggested by FireEye) – the other would be to change ActiveX settings for the Internet Zone so that you are prompted to run ActiveX by webpages, rather than the scripts just running automatically.
Here is how to change your Internet Explorer to prompt you:
First open the “Tools” menu, then select “Internet Options” – if you do not see the “Tools” menu – hit your ALT key once, and it should appear:
Next, select the “Security” tab across the top tabs (in MSIE 11, it is next to General) – now click “Custom Level” to open your “Security Settings” for the Internet Zone – finally – change every ActiveX setting from enable/automatic to “Prompt”:
Finally – click OK and Apply – we recommend restarting your computer to be sure that every browser window is closed and has the new settings.
Contributor Greg Hewitt-Long runs the IT security consultancy Computer Security Solutions llc and Web Your Business Inc. with his wife & business partner. Based in Johnstown, CO – they have their eyes and ears on IT subjects from Web Design, to Web Hosting, with Security being the glue that ties their businesses together.