I was alerted of a new IE exploit and thought I would check it out and see if this was something brand new or something related to the Java exploits from a few weeks ago. Then I saw a number of headlines that went something like this: German Government Urges Public to Stop Using Internet Explorer.
Now that’s something you don’t see every day.
And here’s the reason behind the dire warning, according to Rapid7’s SecurityStreet blog:
A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user ... The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter).
Microsoft has also put out its own warning on the exploit and, as of this writing, is working on a fix. It also added that if you upgraded to IE10, you are fine (and this serves as yet another reminder on why you should upgrade to the latest version of browsers rather than use older, less secure, versions). The most important feature of the Microsoft warning is the security workarounds it provides while it develops the patch. Obviously, unlike the German government, Microsoft wants you to continue using its browser.
Usually, when I read stories about exploits and what they are designed to do, the information is pretty straightforward. That doesn’t seem to be the case here. For instance, I read an article on PC World that said if you don’t use Java on your machine you are safe. And that while IE10 isn’t affected by this exploit, users are still vulnerable because of flaws in Adobe Flash — I’m not sure if the two exploits are related or if this was just a warning that IE10 is safe from problem X but not from problem Y, even though we aren’t really talking about problem Y. But the most interesting comment in the article came from Andrew Storms, director of security operations for nCircle, who said:
If your systems are running IE, you are at risk, but don’t panic. The reality is it’s just one more zero-day and we’ve seen an awful lot of them come and go.
I guess that’s true in security circles, but when you are on the other side of the computer and your business depends on using the Web, being told it is “just one more zero-day” isn’t going to cut it.
Telling folks to use another browser until the problem is fixed is good advice, but it is not always feasible advice. There are organizations that use a single browser across all computers. Considering there are a lot of people out there reluctant to upgrade from older versions of IE, chances are they aren’t going to hop on the bandwagon to switch to Chrome or another browser straight off. (And good luck getting folks set in their way with one browser to make the sudden switch to a new one. I’ve been using Chrome for months and I’m still not used to the differences between it and IE.)
If you do use other browsers, definitely use them until Microsoft releases the fix. But just as important, remind employees of the risks of clicking on social media links or visiting unknown websites.