Internet Explorer has a serious security gap that allows hackers to install malicious software, remotely and undetected by the user. The U.S. Department of Homeland Security advises against using the browser until Microsoft releases a patch for the vulnerability.
Law firms and financial companies should especially take caution. Vitor De Souza of FireEye, the cybersecurity firm that discovered the security flaw, told Reuters that the vulnerability has led to “a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors” and that the motive appears to be “broad-spectrum intel gathering.”
The bug is easily contracted—someone only has to view an infected Web page or email attachment that uses Adobe Flash. The hacker then gains the same rights as the user and can use them to access privileged information. Consequently, the risk seems to be minimal for people who are designated Local Users rather than Local Administrators.
Microsoft’s Security Advisory 2963983 warns that it “is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.” Over half of all PCs are running an affected version.
The best way to avoid the danger is simply not to use Internet Explorer until Microsoft releases a fix. Use an alternate browser, such as Google Chrome or Mozilla Firefox in the meantime. Microsoft will release a fix at some point, and Adobe has already released one for Flash.
While it is safest to altogether forgo Internet Explorer for now, you can also protect yourself by disabling Adobe Flash or by running the browser in “Enhanced Protect Mode” or “64-bit process mode.” IT administrators can use the Microsoft Enhanced Mitigation Experience Toolkit to avoid the exploit if no alternate browser can be used. However, this will not work for Windows XP or Windows Server 2003, which do not support ASLR.
The situation is especially dire for firms running XP. The operating system will not be receiving a fix, since Microsoft stopped support for the operating system earlier this month. XP users should switch to an alternate browser permanently and give serious consideration to upgrading to a supported operating system.