Give IE the heave-ho until Microsoft patches zero-day
Run a different browser, says cyber watchdog US-CERT
Computerworld - The U.S. government's top cyber-security agency is telling Internet Explorer (IE) users they should consider running a different browser until Microsoft fixes a critical vulnerability.
The U.S. Computer Emergency Readiness Team (US-CERT) added its voice to the growing chorus of security organizations and companies that have warned people of the flaw, which affects IE6, IE7, IE8, IE9, IE10 and IE11.
US-CERT is part of the U.S. Department of Homeland Security, and regularly issues security warnings and threat alerts.
"US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative Web browser until an official update is available," the agency said in a Sunday statement.
EMET refers to "Enhanced Mitigation Experience Toolkit," an anti-exploit utility that lets customers beef up security defenses on select applications.
Windows XP users are especially at risk to exploits of this IE vulnerability, because they will not receive patches for IE6, IE7 or IE8. Microsoft will be writing patches for all three versions, but will not offer them to Windows XP customers; it terminated support for the 12-year-old OS on April 8.
Security experts had warned Windows XP users that they would be targeted by hackers after support ended. They believed that cyber criminals would quickly find flaws by examining Microsoft's patches -- using a before-and-after code comparison -- in those products, like IE, that continue to receive updates on other editions of Windows.
"This happened a bit quicker than I expected, but it is a sign of things to come," said Wolfgang Kandek, chief technology officer of Qualys, in a Monday blog. "Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems."
Kandek was talking about another suggestion from Microsoft, that users deregister the "vgx.dll" file. That .dll (dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows.
"VML is only infrequently used on the Web, so disabling it in IE is the best way to prevent exploitation," Kandek contended.
Instructions for deregistering vgx.dll can be found in Microsoft's security advisory for the IE vulnerability.
US-CERT rarely goes as far as to recommend that Americans switch browsers because of a bug, but it has done so in the past. Last month, for example, the organization said Windows XP users would be safer if they stopped running IE.
Both Google's Chrome and Mozilla's Firefox run on Windows XP, and will receive security fixes until at least April 2015.
US-CERT's vulnerability notice for the IE flaw was published Sunday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts