If you’re running Internet Explorer (MSIE) on your PC, you’ve got a vulnerability that’s dangerous, so dangerous that Microsoft’s poised to release a special system patch. While you’re waiting, here’s how to change the settings on your browser to minimize the risk…
Microsoft Corp. issued a warning on Saturday 26th April, about the vulnerability which could allow remote code execution, and this is vulnerability which affects every single version of Microsoft Internet Explorer – their Technet Security Advisory 2963983 can be found here.
There is a lot more information on the zero-day vulnerability in this gizmodo article regarding the vulnerability, but the gist of the article is that there are ACTIVE EXPLOITS making use of this vulnerability – largely targeting MSIE version 9, 10 and 11 – the attack is call the “use after free” attack and is a fairly complex memory corruption – which then allows the attacker to run arbitrary code on the attacked machine.
According to internet security firm FireEye – the percentage of Internet explorer uses is as high as 26% of all internet users – so more than a quarter of all browsers being used on the internet have the potential to fall foul of this zero-day exploit in MSIE.
Gizmodo suggests that as XP is now “end of life” – there won’t even be a patch for this problem coming to an XP machine – as in – EVER… !!
So – if you’re still using XP and you have to use that machine still – then you would be WELL ADVISED – to not use Internet Explorer, but use the latest Mozilla Firefox instead… we actually recommend not using the XP machine to access the internet at all.
FireEye has suggested that running the Enhanced Protection Mode (EMET) in MSIE 10 or higher will prevent your browser being attacked using this method – and also, disabling Adobe Flash will also stop the threat from running on your Internet Explorer.
We suggest Firefox 29 as an alternate browser, at least until Microsoft releases an out-of-cycle patch for MS Internet Explorer. There are at least two other alternate workarounds, or fixes which you could deploy – one, run EMET (Enhanced Migitation Experience Toolkit – as suggested by FireEye) – the other would be to change ActiveX settings for the Internet Zone so that you are prompted to run ActiveX by webpages, rather than the scripts just running automatically.
Here is how to change your Internet Explorer to prompt you:
First open the “Tools” menu, then select “Internet Options” – if you do not see the “Tools” menu – hit your ALT key once, and it should appear:
Next, select the “Security” tab across the top tabs (in MSIE 11, it is next to General) – now click “Custom Level” to open your “Security Settings” for the Internet Zone – finally – change every ActiveX setting from enable/automatic to “Prompt”:
Finally – click OK and Apply – we recommend restarting your computer to be sure that every browser window is closed and has the new settings.
Contributor Greg Hewitt-Long runs the IT security consultancy Computer Security Solutions llc and Web Your Business Inc. with his wife & business partner. Based in Johnstown, CO – they have their eyes and ears on IT subjects from Web Design, to Web Hosting, with Security being the glue that ties their businesses together.
Don’t even install Flash if you don’t need it to play games, etc. I don’t have it installed and have no problems viewing anything like YouTube, etc. If you ever do need it to view something, just install then uninstall or keep it turned “off” in your plug-ins. I also have everything checked in IE that Dave points out to do. Then I skip over to Chrome or Firefox to do all my browsing!
John,
You should be fine until Microsoft releases the patch to IE11 which could be any day or might be a week.
Also keep up to date with your Flash updates etc (there was one of those today).
Kind regards
Greg
Thanks very much, Greg. I did the Flash update the day it came out. I appreciate your help.
John
Hi Dave,
Thanks very much for this.
One question:
I have Internet Explorer 11 on both my computers. As my non-technical mind understands it, IE is “embedded” and I can’t get rid of it.
However, I’ve never used it, as Firefox is my browser of choice. While I do keep IE updated via Microsoft’s updates, that’s about as much attention as I pay to it.
Am I in any danger, especially with these new threats?
Thanks very much. I love your posts!
You should be fine as long as you don’t use IE to actively browse the web.
Thank you, Jeremy. I’ve never used IE to browse the web — for which I’m now grateful. 🙂
Normally this is what i will do to remove Internet Explorer.
Start > Control Panel > Programs and Features > Turn Windows features On or Off >
– Look for Internet Explorer 10 (depends on what version installed)
– (ops! missed this) un check Internet Explorer 10.
– There will be a message box, just click Yes to remove Internet Explorer.
– Click OK again to restore back to the menu.
– Close Control Panel and it’s done.
I hope this helps John.
Thanks very much for the removal instructions. I didn’t even know it was possible to delete IE. I appreciate your help.