Microsoft offers advice to deal with IE security bug

With no fix available yet, Microsoft has a few words of wisdom for users who don't want to be bit by the newly-discovered bug.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read
A malware attack exploiting Internet Explorer 9.
A malware attack exploiting Internet Explorer 9. Rapid7

Users of Internet Explorer versions 6 through 9 are grappling with another security flaw without a fix, but Microsoft has a few suggestions to help shore up protection.

Uncovered this past weekend, the security hole could compromise the PCs of IE users who surf to a malicious Web site. Microsoft said it's already aware of attacks that have tried to take advantage of this weakness.

Since no fix is yet available, it's up to users of IE to protect themselves. A new Microsoft Security Advisory offers several recommendations.

To start, the usual advice always applies. Make sure you're running updated antivirus and antispyware software and that you're using a firewall, either a third-party utility or the one built into Windows.

You can also install the Enhanced Mitigation Experience Toolkit from Microsoft. EMET tries to ward off attacks on software holes by putting up a wall of security obstacles that the malware writers must circumvent. EMET can be configured specifically for Internet Explorer as well as other applications.

Another option is to push the Internet and local Intranet security settings in IE to "high." To do this, launch Internet Explorer, click the Tools menu, and then select Internet Options. Click the Security tab and then select the Internet zone. Under the Security level for this zone, move the slider to High. Click the Local Intranet zone and again push the Security level to High.

Users can also set Active Scripting to "prompt" in both the Internet and Local Intranet zones. To do this, again select Internet Options from the Tools menu in IE. Click the Security tab. Click the Internet zone and then select Custom Level. Scroll down to the Scripting section and set Active Scripting to Prompt. Repeat the same steps for the Local Intranet zone.

As Microsoft warns, tweaking these settings could prevent access to certain Web sites.

Even changing the setting to "prompt" will trigger an annoying message anytime you hit a Web site that uses ActiveX controls asking if you want to allow or block the site.

Microsoft's own Windows update sites -- *.windowsupdate.microsoft.com and *.update.microsoft.com -- rely on ActiveX control to install available updates.

You can add sites that you trust to the Trusted sites zone through Internet Options. But this can be time-consuming since you have to add them on an individual basis.

As a result, the easiest option is to just not use Internet Explorer, at least not while this exploit remains in the wild. Individual users can switch to Firefox, Chrome, or another browser. Organizations that have standardized on Internet Explorer face a tougher challenge. So the onus now is on Microsoft to fix this hole as quickly as possible.

You can learn more about the security flaw and possible workarounds through Microsoft's Security Advisory.