Give IE the heave-ho until Microsoft patches zero-day
Run a different browser, says cyber watchdog US-CERT
Computerworld - The U.S. government's top cyber-security agency is telling Internet Explorer (IE) users they should consider running a different browser until Microsoft fixes a critical vulnerability.
The U.S. Computer Emergency Readiness Team (US-CERT) added its voice to the growing chorus of security organizations and companies that have warned people of the flaw, which affects IE6, IE7, IE8, IE9, IE10 and IE11.
US-CERT is part of the U.S. Department of Homeland Security, and regularly issues security warnings and threat alerts.
"US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative Web browser until an official update is available," the agency said in a Sunday statement.
EMET refers to "Enhanced Mitigation Experience Toolkit," an anti-exploit utility that lets customers beef up security defenses on select applications.
Windows XP users are especially at risk to exploits of this IE vulnerability, because they will not receive patches for IE6, IE7 or IE8. Microsoft will be writing patches for all three versions, but will not offer them to Windows XP customers; it terminated support for the 12-year-old OS on April 8.
Security experts had warned Windows XP users that they would be targeted by hackers after support ended. They believed that cyber criminals would quickly find flaws by examining Microsoft's patches -- using a before-and-after code comparison -- in those products, like IE, that continue to receive updates on other editions of Windows.
"This happened a bit quicker than I expected, but it is a sign of things to come," said Wolfgang Kandek, chief technology officer of Qualys, in a Monday blog. "Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems."
Kandek was talking about another suggestion from Microsoft, that users deregister the "vgx.dll" file. That .dll (dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows.
"VML is only infrequently used on the Web, so disabling it in IE is the best way to prevent exploitation," Kandek contended.
Instructions for deregistering vgx.dll can be found in Microsoft's security advisory for the IE vulnerability.
US-CERT rarely goes as far as to recommend that Americans switch browsers because of a bug, but it has done so in the past. Last month, for example, the organization said Windows XP users would be safer if they stopped running IE.
Both Google's Chrome and Mozilla's Firefox run on Windows XP, and will receive security fixes until at least April 2015.
US-CERT's vulnerability notice for the IE flaw was published Sunday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts