Stop using Microsoft's IE browser until bug is fixed, US and UK warn
In rare move that highlights severity of security hole in popular Internet Explorer, US Computer Emergency Readiness Team and UK counterpart say some IE users may want to "consider employing an alternate browser" till flaw is patched.
It's not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability -- one that affects all major versions of the browser from the past decade -- has forced them to raise an alarm: Stop using IE.
The zero-day exploit -- the term given to a previously unknown, unpatched flaw -- allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer. Security firm FireEye, which discovered the bug, said that the flaw is being used with a known Flash-based exploit technique to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. Those versions of the browser run on Microsoft's Windows Vista, Windows 7, and Windows 8, although the exploit is present in Internet Explorer 6 and above.
While the Computer Emergency Readiness Team in England and the US regularly issue browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a particular browser. Specifically, the advisory says administrators and users should "review Microsoft Security Advisory 2963983 for mitigation actions and workarounds" and that people who can't implement those stopgap measures, Windows XP users among them, "may consider employing an alternate browser."
FireEye recommends that if you can't switch browsers, then disable Internet Explorer's Flash plug-in. You also can use IE with Microsoft's Enhanced Mitigation Experience Toolkit (EMET) security app, but that will not be as secure as simply switching browsers.
In a statement, Microsoft told CNET, "On April 26, 2014, Microsoft released Security Advisory 2963983 to notify customers of a vulnerability in Internet Explorer. At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized."
The company advises Internet Explorer users that the Enhanced Protected Mode, on by default in IE 10 and IE 11, used with EMET, "will help protect against this potential risk."
The company did not address what people who use IE 9 or older should do. It's not expected that IE 6 will ever see an update, as Microsoft has stopped issuing security updates for the 12-year-old browser that still makes up 4.65 percent of the browser market.
The US Department of Homeland Security did not immediately respond to requests for comment.
Statistics vary as to how many people actually use Internet Explorer. NetMarketShare puts the total around 55 percent of the desktop browser market, while competitor StatCounter says that 22.58 percent of people use IE. While the disparity is large, in either case the flaw affects a huge number of browsers being actively used.
Update, 4:13 p.m. PT: Adds UK CERT position on Internet Explorer.
Update, April 29 at 10:34 a.m. PT: Adds specifics about the advisory.
Update, April 29 at 11:37 a.m. PT: Adds Microsoft statement.