Internet Explorer Vulnerability Could be Used to Launch Cyber Attack, Say Feds

Federal officials have issued a warning to users of Internet Explorer: Stop using the Web browser until Microsoft can mitigate a security threat.

The U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, is issuing the warning. The government agency recommends avoiding use of Internet Explorer until Microsoft finds a fix to a flaw in the browser that hackers have already used to launch attacks. CERT said in a statement this week:

“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.”

Microsoft has provided some workarounds for staunch users of Internet Explorer, or those who cannot use another browser. But Windows XP users will not find these workarounds beneficial, CERT says. They definitely should find another Web browser until the security risk is managed.

In its own warning this week, Microsoft explained that the IE bug is classified as a remote code execution vulnerability. In a Security Advisory posted at the Microsoft website, the company says:

“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

If you’re attacked through the Internet Explorer security vulnerability, a hacker could get the same administrative credentials you have on your computer. This could include access to sensitive information not only about yourself but your employees and customers or clients, too. Users with less access on a specific computer who are hacked would be less impacted by the security vulnerability, Microsoft notes.

For the attack to happen, a computer user would have to click a link to the attacker’s webpage sent via email or instant message. When the link is clicked, the website can exploit IE’s security glitch, allowing the cyberattack to proceed.

Microsoft says in its Security Advisory that any patch to mitigate this vulnerability with Internet Explorer would likely be issued in a monthly security update. However, depending on how soon a new patch is developed, Microsoft might elect to issue a special security update for most of its users.

Outside of Windows XP users, Microsoft says people can workaround the security flaws linked to its browser in several ways depending on the kind of Microsoft product being used.

For example, users operating on the Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 can enable the Enhanced Security Configuration mode. This should mitigate the security risk, Microsoft says.

Meanwhile Microsoft Outlook, Microsoft Outlook Express, and Windows Mail users should open HTML emails only in the Restricted Sites Zone. Clicking links in the ordinary email program could exploit your browser’s security flaw, Microsoft warns.

This is the first major security flaw with Windows and Internet Explorer since Microsoft discontinued support for the XP operating system. Microsoft announced earlier this month that it would no longer issue security and software updates for the once-popular operating system. So when Microsoft does issue an update to address this IE vulnerability, it will likely not be compatible with Windows XP.

Microsoft Photo via Shutterstock

---

More in: Cybersecurity 4 Comments ▼

---