Critical Security Vulnerability in IE Exposes Users to Hackers
Microsoft has issued a warning that hackers are exploiting a critical security vulnerability in Internet Explorer (IE) versions 8 and 9, which have not been patched. The company’s engineers are actively working on a security update to address the issue.
According to Dustin Childs, a spokesman for the Trustworthy Computing Group, the vulnerability affects all versions of IE, from IE6, which was released 12 years ago, to the current pre-release version of IE11. However, IE11, which will be launched on October 18, 2013, alongside Windows 8.1, is not immune to the threat.
“This is not a version-specific issue,” Childs said in a blog post. “We are actively developing a security update to address this issue.”
The vulnerability allows hackers to take advantage of the “drive-by” attack tactic, which enables them to hijack a user’s browser on Windows devices and load malicious content without their knowledge or consent. This can be done by guiding the target to visit a malicious website or by loading malicious code onto a legitimate website.
Protecting Yourself from the Vulnerability
Before the introduction of the actual patch, Microsoft has proposed a few suggestions to protect users from the vulnerability. These include:
- Configuring EMET 4.0: This is a tool that helps enterprise IT professionals to enable anti-vulnerability technologies, such as ASLR (address space layout randomization) and DEP (data execution prevention). However, this is a complex tool that is primarily intended for advanced users.
- Using Microsoft’s “Fixit” tool: This is a program that provides automated “sandwiching” for the DLL file that contains the IE rendering engine. Microsoft has provided a link to the Fixit tool on its support website, and users can simply click on the icon and label it as “Enable” to use it.
- Temporarily abandoning IE: Users can temporarily abandon IE and use alternative browsers, such as Firefox, Google’s Chrome, or Mozilla, to prevent themselves from malicious attacks before Microsoft releases the patch.
When to Expect the Patch
Microsoft has not disclosed the specific time to fix the IE flaw, but the next round of “Patch Tuesday” is only three weeks away, on October 8, 2013. The software giant’s security team is likely to announce an unplanned update before then.
Microsoft rarely publishes unplanned updates, but the last one was the MS13-008 update, which was released on January 14, 2013, to repair a vulnerability in IE6, IE7, and IE8 browsers that had been raging since December 2012.
Conclusion
The critical security vulnerability in IE versions 8 and 9 is a serious issue that affects all versions of the browser, from IE6 to the current pre-release version of IE11. Microsoft has proposed a few suggestions to protect users from the vulnerability, and users can temporarily abandon IE and use alternative browsers to prevent themselves from malicious attacks. The software giant’s security team is actively working on a security update to address the issue, and users can expect an unplanned update before the next round of “Patch Tuesday” on October 8, 2013.