Microsoft tells IE users how to defend against zero-day bug
In lieu of a fix, Microsoft offers workarounds to combat the bug that has left browser users open to attacks.
Microsoft has yet to patch its latest critical Internet Explorer zero-day security flaw, but an advisory about the bug now offers two temporary solutions.
Updated on Monday, Microsoft Security Advisory 2963983 offers new information about the new zero-day vulnerability that affects all versions of Internet Explorer. The flaw could allow remote code execution and has already been used in "limited, targeted attacks," Microsoft revealed, though those attacks have so far affected only IE versions 9, 10, and 11.
The potential reach of the bug could be widespread. Estimates of IE usage range from about 22 percent of people browsing the Web (StatCounter) to more than half of the desktop browser market (NetMarketShare).
The vulnerability is so severe that even US and UK security agencies have cautioned people using IE for now.
So what does Microsoft suggest for people who still need to use Internet Explorer? Turn on a feature called Enhanced Protected Mode. Introduced in IE 10, this mode adds an extra layer of protection by preventing malware attacks from infecting your system.
Microsoft explains how to enable Enhanced Protected Mode (EPM) in the "suggested actions" section of its advisory. The steps are outlined as follows:
- To enable EPM in IE 10 or 11, click the Tools menu and then click Internet options.
- In the Internet Options window, click the Advanced tab.
- Scroll down the list of options until you see the Security section.
- Look for the option to Enable Enhanced Protected Mode and click its checkbox to turn it on.
- If you're running IE 11 in a 64-bit version of Windows, you also need to click the checkbox to Enable 64-bit processes for Enhanced Protected Mode.
- Restart IE to force the new setting to take effect.
EPM is saddled with a couple of limitations. The feature supports only IE 10 and 11 and only 64-bit versions of Windows. And some websites and add-ons won't work with EPM enabled.
How do you protect yourself if you're running an older version of IE or use a site that doesn't play nicely with EPM? You can unregister an associated IE DLL file called VGX.DLL. Microsoft explains how to unregister this file in the suggested actions section.
Until Microsoft can patch this bug, the best option is to use an alternate browser such as Firefox or Google Chrome. But those of you stuck on IE can at least better protect yourself by following Microsoft's suggestions.