A branch of the US Department of Homeland Security is telling Americans to stop using Internet Explorer due to a vulnerability that allows hackers to remotely execute codes on victim’s computers as they surf the web.The United States Computer Emergency Readiness Team (CERT) warns that all versions of Internet Explorer from 6 to 11 can be affected, although those responsible appear to be currently targeting IE9 and IE10, according to FireEye Research Labs, the California-based Internet security software company that first exposed the vulnerability.
Computer security experts warn that no fix has been found, and they urge people to avoid using Internet Explorer until the security is sound.
WHAT DOES IT DO?
Over the weekend, Microsoft acknowledged “limited, targeted attacks” that exploited a vulnerability in the browser in order to remotely run code through a user’s browser, forcing the user to view a website crafted by the attacker instead.
FROM MICROSOFT: Vulnerability in Internet Explorer could allow remote code execution.
Rather than targeting a specific victim one by one, the hackers inject code into a website a victim may visit. That code then infects the victim’s computer.
According to FireEye, the exploit takes advantage of a previously unknown “use-after-free” vulnerability and a well-known Adobe Flash exploitation technique to circumvent Windows security protections.
WHAT CAN BE DONE?
No practical solution has been identified yet, but the Microsoft Enhanced Mitigation Experience Toolkit can help prevent the vulnerability from being exploited; however, older versions of Windows including Windows XP and Windows Server 2003 won’t be protected in the same way more modern versions will.
Although the bug does not compromise the security of Adobe Flash, FireEye said the attack cannot work without it and said users can disable the Flash plug-in within IE to protect themselves; however, that will render many popular websites unusable.
Symantec is also offering XP users tools to help ward off attack.