New Vulnerability Affects All Versions Of Internet Explorer
A newly vulnerability in Internet Explorer is creating a potential field day for hackers:
Hackers are already at work exploiting a newly discovered flaw in Microsoft’s Internet Explorer that has left more than half of the world’s Web browsers vulnerable to attack, including those on many federal government computers.
Microsoft said it was aware of “limited target attacks” in a security advisory posted Saturday. The flaw affects Internet Explorer versions 6 through 11. However, hackers are mostly targeting versions 9 through 11, according to the security firm FireEye, which discovered the flaw.
The most vulnerable versions represent 26 percent of the total browser market, according to FireEye, which has termed the repeated assaults “Operation Clandestine Fox.” But that number jumps to about 56 percent when you include IE versions 6 through 8.
This is what is known as a “zero-day” threat because there was zero time between the discovery of the vulnerability and the first attack by someone exploiting it.
Not every vulnerable Web browser has been compromised. To exploit the vulnerability, hackers have to trick users into taking some sort of action such as clicking on a link or opening an e-mail attachment.
The flaw relies on a well-known flash exploitation technique to bypass Windows security protection. Once the bad guys are in, they can install malicious software without users knowing.
(…)
Microsoft says once it finishes investigating the issue it will issue a fix for the problem, either in a monthly security update or a special security update.
Until the patch is released, using a different browser such as Chrome, Safari or Firefox is good idea.
Brian Resnick notes that this presents a particular problem for the United States Government:
Over the weekend, Microsoft announced a huge security flaw in its Internet Explorer Web browser (in versions IE6 through IE11). “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft wrote in its advisory.
In response, the Homeland Security Department issued its own memo, advising computer users within the federal government to “consider employing an alternative Web browser,” seeing that the vulnerability “could lead to the complete compromise of an affected system,” which is not desirable.
A vulnerability like this is especially bad for the U.S. government, which tends to cling to older technology. That’s not to say that Internet Explorer is an “old” technology; it’s updated regularly. But it is losing market share, asNational Journal‘s Stephanie Stamm demonstrated in the graphic posted below. The browser also causes headaches for developers, because it renders Web pages differently than other browsers do. It also has a history of security glitches. Generally speaking, it’s thought to be the Hotmail of Web browsers.
Why anyone is still using Internet Explorer is one of those things that I’ve never been able to figure out. Nonetheless, if you are one of those people, consider this a good opportunity to jump ship to Chrome, Firefox, or Safari.
Interesting. We were allowed to download Chrome for the first time last week.
I have not used IE for years. I first switched to Fire Fox and then to Chrome.
I use Chrome, but occasionally need to use IE to download docs (almost always from government websites) that for some reason won’t open otherwise.
I think you should ask web site developers. There are still too many web sites that are, obviously, only tested using IE or were written specifically for IE.
“Why anyone is still using Internet Explorer is one of those things that I’ve never been able to figure out.”
Not sure either, but where I work the ERP application and the partner portal of our most important business partner only support IE. Plus the ERP won’t let you attempt to log on with another browser.
Back when, in Win 98 / Win 2K days, you had to have IE installed to use some of Microsoft’s software development tools. So a lot of people have an install-IE reflex, part of their personal firmware, so to speak.
Not to be critical; I’m one of them.
@Ron Beasley: as did i after the eich dilemma. ie was terrible, don’t use it much so i’m not going to critique it.
@Dave Schuler: Dave, as a former web developer I used to have all browsers and tested any changes on all of them. That really hasn’t been necessary for several years now and that includes IE. The HTML protocol is pretty standard now.
@Ron Beasley: IE was quite special back in the day….
@Matt: If by special you pain in the ass I agree.
““Why anyone is still using Internet Explorer is one of those things that I’ve never been able to figure out.”
Default Windows installation. There are large swaths of users for whom “installing a new browser” is akin to “creating a quantum computer from only kitchen utensils.”
That aside, Microsoft’s negligence in browsers means developers have to scramble to accommodate it, the spec of which can change just from a single Windows update, often without notice. Keeps developers in business, without doubt or debate.
One problem is that businesses and governments are still using ancient web applications which won’t work with newer browsers. A family member was working at one prominent company where all the computers still had Internet Explorer 6 on it because anything newer would cause problems with one of their web applications.