Security flaws and vulnerabilities are more than a fact of life. It’s almost like road construction. In the same way you know you’re going to hit road construction somewhere on any trip, you sort of know you’re going to be dealing with some sort of security issue during your journey through the Internet. Inconvenient is the word that comes to mind. Fact of life is a phrase we all wish we didn’t need to use in either circumstance. Unfortunately security flaws are more than just an inconvenience. They can in fact open doors for thieves to steal your data.
UPDATE: Patches are being released. See update below
That appears to the case of the serious IE security flaw that affects versions of Internet Explorer from 6.0 to 11.0 that came to light over the weekend. In fact the vulnerability is such an issue that it has prompted a warning from the U.S. Department of Homeland Security that recommends uses steer clear of Internet Explorer until Microsoft releases a patch. We’re not just talking older versions, we’re talking all versions of Internet Explorer. Or about 25% of the browsers users to surf the web.
Microsoft confirmed the vulnerability last night.
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
In plain language the vulnerability could let hackers gain full user permissions over your computer. That would allow a hacker to install programs, view and delete data, and much more by visiting a website. We’ve heard of similar zero-day flaws before, but the danger of this new one is magnified by the number of IE versions that are vulnerable and also in the wake of Microsoft finally ending support for Windows XP.
This is also the first big security bug reported since Microsoft finally terminated support for the 12-year old operating system, Windows XP. The official end of support means that users still running Windows XP will not receive security updates. Being the first major security vulnerability since the end of Windows XP support will certainly challenge many users, especially businesses that are still running XP because of proprietary in-house software.
The fact that U.S. government has published a warning strikes some as good news, but also odd, given the recent news of other security vulnerabilities, like Heartbleed, where different branches of the U.S. security apparatus most likely knew of the bug but did nothing to protect ordinary users and businesses. Some believe that the NSA was taken advantage of that flaw for spying purposes, but those theories have not been proven.
There is no word at present as to when a patch will be issued, but it might be a good time to fire up another browser until the situation is rectified. It is expected that Microsoft will issue an out of cycle patch prior to the next Patch Tuesday update which is scheduled for May 13, 2014.
UPDATE: Adobe has released a patch for users of Internet Explorer versions 10 and 11. Information can be found here. Microsoft has also released a revised security update about this patch as well. Users of Windows 8 and 8.1 can find the update via Windows Update.
You can also read much more on the bug and the fixes at Krebs on Security.