A bug in the Web's most popular browser
On Saturday, FireEye Research Labs, an Internet security software company, announced a previously unknown security flaw impacting all recent versions of Internet Explorer (IE), from versions 6 through 11. Microsoft further warns users that there have been active attacks attempting to exploit this vulnerability.
Microsoft is working to fix the code. However, as of today, no patch has been posted.
A description of the vulnerability and several workarounds are listed below, however Daystar advises that your most secure method of protection is to simply stop using IE, at least until a patch is issued. We highly recommend switching all Web browsing to Google Chrome or Mozilla Firefox immediately.
How it works
The initial attacks are what’s known as “watering-hole attacks”. Hackers corrupt normal, everyday Websites that users are known to visit by hiding code on the site that infects their computers without them even knowing it’s happening. All a user has to do is simply browse to a hacked or malicious site and the code silently installs malicious software. Malware can be used to steal personal data, track online activity, or gain control of the infected system.
The attacks use Adobe Flash to bypass security protections on Windows. The flaw enables hackers to circumvent security protections in the Windows operating system.
What should I do?
Until a patch is issued, Daystar recommends that you instruct all users to stop using IE immediately. You can easily download alternative browsers and import all bookmarks.
Download Google Chrome
Download Mozilla Firefox
Again, using a different browser will completely eliminate the vulnerability to your systems. If, for some reason, you cannot use a different browser, Daystar has found the following actions will help mitigate your risk.
- Disable the Adobe Flash plug-in on IE. This will eliminate risk, but will also remove the browser’s ability to play Flash videos and games.
- Run IE in Enhanced Protected Mode (EPM). In IE, go to Tools / Options / Security and check the EPM box at the bottom of the page.
- Microsoft recommends IE users to download and install its free Enhanced Mitigation Experience Toolkit (EMET) security app. Be sure to use EMET 4.1 as earlier versions will not protect against this vulnerability. Please note that this is not as secure as switching browsers.
Windows XP Users
If you are still running Windows XP, please be advised that your only option is to immediately switch browsers. This vulnerability will never be fixed for Windows XP, as Microsoft ceased support for XP on April 8, 2014. With the exception of switching browsers and disabling Adobe Flash plug-ins, the above alternative solutions will not protect XP users.
Microsoft fully intends to release a patch to remove the security flaw and restore IE to safe browsing. It is still unclear whether the patch will be released before Microsoft’s next Patch Tuesday on May 14. We will continue to monitor the situation and inform you once the patch has been issued.
Should you have any questions, please contact Daystar's Professional Services Group via your client portal, e-mail, or via phone at 603.766.5924 x3.
