Criminals are using a new Internet Explorer security hole to attack Windows computers in targeted attacks, though the vulnerability could end up being more widely exploited. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are. It’s great to see that the latest versions of IE are immune, but this new vulnerability is still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft’s browser.
“Microsoft released Security Advisory 2794220 to provide customer awareness of a vulnerability affecting Internet Explorer versions 6, 7, and 8,” Dustin Childs of Microsoft Trustworthy Computing told The Next Web. “While we actively work to develop an easy, one-click Fix it solution and security update for this issue, we strongly encourage that customers apply the mitigations and workarounds described in the advisory.”
The IE zero-day flaw first came to light after report surfaced that the Council on Foreign Relations (CFR) had been hacked. A closer look by security firm FireEye led to the discovery that the CFR site had been compromised and was hosting malicious content as early as on December 21.
“The Council on Foreign Relations’ website security team is aware of the issue and is currently investigating the situation,” CFR spokesperson David Mikhail told The Washington Free Beacon on Thursday. “We are also working to mitigate the possibility for future events of this sort.”
More details of the vulnerability are available at the CERT Knowledgebase ( VU#154201). Here’s the full technical description:
Since there is no patch available, the note recommends a few workarounds: use the Microsoft Enhanced Mitigation Experience Toolkit (EMET), disable the Flash ActiveX control in IE, and disable Java in IE. We recommend avoiding the use of IE8 or earlier by either upgrading to IE9/IE10, or simply using a different browser such as Google Chrome.
Image credit: Miguel Saavedra