Microsoft have released Security Advisory 257760 for Internet Explorer 9 (and earlier versions) to address a security flaw which can be used to infect a user viewing a website hosting malicious code.
This zero-day (not fixed) vulnerability is already being exploited in targeted attacks by compromised websites – infection can occur simply by visiting the malicious website and could result in an attacker stealing data or taking remote control of a PC.
The vulnerability affects users of XP, Vista or Windows 7 – running any version of Internet Explorer from IE6 to IE9. Microsoft seem at pains to point out that IE10 is not affected – but considering that IE10 isn’t officially released to the public until 26th October (with Windows 8), that isn’t much consolation…
Earlier this month I noted that IE now has a 33% share of the global web browser market – so the exploit leaves hundreds of millions of users vulnerable. Microsoft’s Advisory contains temporary workarounds and mitigation to help defend against this threat:
Installing EMET (Enhanced Mitigation Experience Toolkit) may mitigate it but EMET is definitely not consumer friendly – it is targeted more at enterprises or system adminstrators. If you know how to configure a pro firewall from scratch you’ll probably work it out – if not, be prepared for a lot of reading, and of course you may not mitigate the threat if you don’t really know how to use it…
Microsoft’s other suggestions affect IE usability – blocking ActiveX and Active Scripting could cause users to have to add dozens of trusted sites to the Internet Explorer Trusted Sites zone as a result. Even following all of these suggestions may not completely remove the threat.
A much easier and more permanent solution (which of course Microsoft do not suggest) is to just switch to a different web browser such as Google Chrome or Firefox etc.
Migrating to another browser is particularly appropriate for XP users who can’t even upgrade to IE9 – although it is about to be replaced, IE9 is still more secure than the outdated IE8 that XP users are stuck with.
UPDATE 20th Sept
Microsoft have now released a manual Fix It to resolve this vulnerability and are to issue an automatic update for all users tomorrow – see here for details.
I have noted before that this ‘two stage’ approach to securing IE is a major weakness compared to rivals such as Chrome and Firefox. When faced by such a vulnerability, Chrome and Firefox could just release an emergency update of the browser – a new version rolled out automatically to all users to protect them, even if they weren’t aware of the problem…
This delay in patching IE is the inevitable consequence of it being so tightly integrated into Windows, rather than created as a standalone browser – it takes longer to test IE changes and roll out an automatic Windows update than it takes for rivals to update a single program.