My original plan for today was to focus on some of the more interesting tidbits to come from Verizon’s 2014 Data Breach Investigations Report, but you know the old saying about making plans. The security writer’s modification of that saying is “plan to write about last week’s news and the hackers will get busy with something new.”
That something new is the flaw in Internet Explorer that is affecting every single version of IE and is bad enough that experts across the board are warning people to use another browser until the flaw is fixed.
So if you are reading this on IE, please go to another browser and read my blog safely!
According to Ross Barrett, senior manager of Security Engineering, Rapid7, this is another zero-day exploit, explaining in a blog post:
The known exploit for this issue relies on Adobe Flash to be present and enabled. Disabling or removing flash will block the known exploit, but does not address the root cause issue in Internet Explorer.
Microsoft has issued an advisory, but as of this writing, there is no patch. If you look at the advisory, you’ll note that Windows XP isn’t listed among the operating systems and browser versions that are affected. It’s not because XP doesn’t have a problem; instead, it is because Microsoft no longer recognizes XP. This is the first widespread vulnerability since Microsoft ended XP support earlier in April.
However, as Bloomberg Businessweek pointed out, you can still use XP and avoid this zero-day exploit:
There are other things that could protect XP users from attacks. The vulnerability exists in a Web browser, which means that it can only be exploited if victims use that browser to visit a website designed to attack them. “An attacker would have no way to force users to visit these websites,” wrote Microsoft in a security advisory. “Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message.”
Most security experts I’ve heard from expect the vulnerability to be patched on Patch Tuesday in mid-May. It may not be until then that we see how this and any other new vulnerabilities uncovered will affect the security of Windows XP users.