Microsoft revealed a nasty bug in its Internet Explorer browser on Saturday. Today, the U.S. government issued an advisory warning people not to use Microsoft’s browser.
The bug, Microsoft reported, “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.” In case that’s not clear enough: It means a hacker could run any code they want on your system, simply by getting you to visit a malicious website.
In other words, it’s very bad news.
It affects Internet Explorer versions 6 through 11 on a wide range of Windows versions, with the exception of Windows Server editions from 2003 through 2012. (On those operating systems, IE runs in an enhanced security configuration that mitigates the problem.)
Security company FireEye discovered the bug and reported it to Microsoft, which then issued the advisory over the weekend.
The problem is especially bad because Microsoft has officially ended support for Windows XP, the long-obsolete but still-widely used operating system found in many corporate environments. The U.S. Computer Emergency Readiness Team advised Windows XP users to “consider employing an alternate browser.”
That might be good advice for just about anyone. Microsoft suggestions for fixing this problem are a list of options that only an IT manager seeking full employment is likely to follow. (Or, perhaps, an IT manager who has no choice but to permit employees use Internet Explorer — maybe because the company’s corporate information system only works with IE. Let us pause for a moment to appreciate these sad souls and the work they do.)
- Deploy the Enhanced Mitigation Experience Toolkit 4.1
- Set security settings to “High” to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting
- Modify the Access Control List on VGX.DLL to be more restrictive
- Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode
Or you could just download Chrome or Firefox and be done with IE once and for all.
Hat tip: Reuters