This weekend Microsoft announced a serious vulnerability in its browser, Internet Explorer, a zero-day remote code execution hole, formally indexed as CVE-2014-1776. This vulnerability affects IE versions 6 through 11. You can read the details of the release from Microsoft here and also here. According to ESET security researcher Stephen Cobb, the safest response to this vulnerability is to use an alternative browser until IE is patched, regardless of which operating system you are using.
Noting that media coverage of the vulnerability has been extensive, partly because it is the first serious security flaw to affect Windows XP users after Microsoft ended support for the 12-year-old operating system on April 8, Cobb warns, “the XP angle to this news should not lead organizations to under-estimate the scope of this vulnerability.”
The flaw, which affects all versions of Internet Explorer from 6 to the latest version, 11, could let attackers assume full control over affected machines, according to The Verge’s report. The Verge points out that while users on a modern version of Windows will likely see a patch in a few weeks’ time, XP users will not.
In a post, Microsoft said, “Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability. The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.”
Microsoft’s TechNet said that the vulnerability would either be fixed in one of the company’s monthly security updates, or via an out-of-cycle update. In other words: the vulnerability is currently not fixed.
ESET Senior Research Fellow David Harley offers the following advice, “Don’t panic: the known attacks around at present are limited in scope and volume. Being reasonably careful about which sites you visit is in itself likely to reduce the risk. On the other hand, don’t lapse into complacency.
“Setting IE Active Scripting and ActiveX to prompt is mildly irritating (or very irritating, if you’re a Facebook user), but seems to reduce the attack surface if you actually disallow it on prompt unless you know you need it. Or try disabling it altogether. The simplest route is just to set IE security levels to ‘high’, or use Enhanced Protected Mode in IE versions that support it.”
“If you’re using XP, you should probably be setting IE security level to ‘high’ already, as a way of generally decreasing the attack surface on an unsupported OS. Or using a browser that is less affected by the currency/obsolescence of the operating system. Which is probably a good thing to do irrespective of the OS you happen to be using.”
ESET’s KnowledgeBase also has advice on dealing with Microsoft Internet Explorer remote code execution hole (CVE-2014-1776).
Veteran security writer and researcher, and We Live Security contributor Graham Cluley wrote, “You as a user don’t have to do anything odd to get your Windows computer infected by malware spread via this exploit. All you need to do is visit a website that has been poisoned by the hackers using a version of Internet Explorer.”
“What you won’t find any mention of in Microsoft’s warning, notably, is Windows XP. That’s not because it’s immune to attack. It’s because, Microsoft released its last ever security patches for Windows XP on April 8 2014. If you are still running Windows XP you will never receive a patch for this zero-day vulnerability.”
The Wall Street Journal’s Digits blog said that while it was not a surprise that a vulnerability had been found in the dozen-year-old Windows XP, it was a surprise that one had appeared within weeks.
Digits speculated that Microsoft might make an exception and patch the vulnerability, but said that Microsoft were not available for comment.