A security flaw in Internet Explorer, spotted by Luxembourg-based security expert Eric Romang late last week, remains unpatched by Microsoft. The flaw is quite serious and can mean that users’ computers can get infected and taken control of if they simply visit a malicious website. Microsoft issued an advisory yesterday suggesting a temporary workaround and an advisory update 10 hours ago saying they are working on releasing a “one-click, full strength solution” in the “next few days”.
The zero-day Internet Explorer vulnerability which Mr Romang saw exploited, to infect his computer with “Poison Ivy”, is the subject of Microsoft Security Advisory 2757760. The advisory mentions that IE10 is not affected and there is a temporary workaround available for other IE version users. The temporary fix involves installing the free Microsoft Enhanced Mitigation Experience Toolkit (EMET), setting all your security zones to “High” thus blocking ActiveX Controls and Active Scripting. Then you must white-list trusted sites by adding them to the Internet Explorer Trusted Sites zone. An article on PCPro, quoting a McAfee employee, suggests it would be easier to simply ditch IE and download Google Chrome.
German government computer says no
The German government's Federal Office for Information Security (BSI) “urged the public on Tuesday to temporarily stop using Microsoft Corp's Internet Explorer” according to a news story published by Reuters today. The BSI advise using another browser for the time being, due to fears of “a fast spreading of the code”.
A few days remain until Microsoft will update IE9 and earlier. The security advisory update from 10 hours ago says “This Fix it will be available for everyone to download and install within the next few days. Until then, we encourage folks to review the advisory and follow the other mitigations listed there.” Also the fix will be very simple to use; “The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer.”
Microsoft’s Yunsun Wee, Director, Trustworthy Computing says that “we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people”. Let us hope the impact remains low while we wait for Windows Update to distribute the promised IE fix.