U.S. Homeland Security recommends not using IE until Microsoft releases patch

This past weekend, Microsoft issued a security advisory for all supported versions of its Internet Explorer web browser, due to recently discovered attacks that used a newly found zero day exploit. The issue is so serious, the U.S. Homeland Security department has issued its own warning about the IE exploit.

The department's Computer Emergency Readiness Team has posted word on its website that Internet users and IT administrators should "enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available." It's rare that the team issues a security alert that offers a recommendation to stop using a specific web browser family,

Microsoft's original security advisory, released on Saturday, describes the nature of the exploit:

The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.

Microsoft says that hackers could create a website made specifically to take advantage of this exploit and then lure people to visit it via emails or other means. So far, the company has not announced when they plan to release a patch for this issue.

Source: US-CERT via CNet | Image via Wikipedia

Report a problem with article
Previous Story

Microsoft increases OneDrive For Business storage space to 1TB per user

Next Story

Google's self-driving cars now able to navigate crowded city streets

58 Comments

Commenting is disabled on this article.

Still another example of a "conflicted" Microsoft, having lost its focus. The old saying "too many irons in the fire" applies.

TsarNikky said,
Still another example of a "conflicted" Microsoft, having lost its focus. The old saying "too many irons in the fire" applies.

Aaannddd..... There he is... The MS whisperer /s

/s, or don't feed the troll ;-)

And it's fun to see people go into a fit when the MS name is mentioned, relevant or not.... ;-P

derekaw said,
I recommend not using IE at all, ever.

You are absolutely right, IE is still goofball as it was in last decade. Only non tech savvy, fanboys or institutions for compatibility reasons use IE. IE should be stripped out of OS and throw that in recycle bin.

Auditor said,

You are absolutely right, IE is still goofball as it was in last decade. Only non tech savvy, fanboys or institutions for compatibility reasons use IE. IE should be stripped out of OS and throw that in recycle bin.

Ah only non tech savvy people use it ? Based upon what exactly. IE IS the most secure browser on Windows, period.

Chrome in itself is malware as the main purpose is data mining, Firefox is a resource hog. When touch enable browsers go, IE is the only kid in town on Windows and it is arguably better than Safari on IOS.

No offense to you haters, but install EMET and IE is the most secure browser of them all. So far the exploits that 'worked' on IE11, all don't work with EMET running.

Microsoft, the only one capable to create a malware and exploit free browser.

sjaak327 said,

Ah only non tech savvy people use it ? Based upon what exactly. IE IS the most secure browser on Windows, period.

Chrome in itself is malware as the main purpose is data mining, Firefox is a resource hog. When touch enable browsers go, IE is the only kid in town on Windows and it is arguably better than Safari on IOS.

you forget the /s while reading ;-)

Auditor said,

You are absolutely right, IE is still goofball as it was in last decade. Only non tech savvy, fanboys or institutions for compatibility reasons use IE. IE should be stripped out of OS and throw that in recycle bin.

Do you have any rational way of backing up those emotions?

Auditor said,

You are absolutely right, IE is still goofball as it was in last decade. Only non tech savvy, fanboys or institutions for compatibility reasons use IE. IE should be stripped out of OS and throw that in recycle bin.

What an absolutely ridiculous statement, as are several others on here. At least we know who the REAL fanboys are, and it's NOT the IE posters!

I haven't used IE in so many years, it's not even funny. But I have clients that do. I'll let them know. Thanks for the heads up! (at work right now, posting from my Lumia)

Obi-Wan Kenobi said,
I haven't used IE in so many years, it's not even funny. But I have clients that do. I'll let them know. Thanks for the heads up! (at work right now, posting from my Lumia)

Just have them all install EMET and call it a day.

Obi-Wan Kenobi said,
I haven't used IE in so many years, it's not even funny. But I have clients that do. I'll let them know. Thanks for the heads up! (at work right now, posting from my Lumia)

What browser do you use on your Lumia :)

Dutchie64 said,

IE on WP8 doesn't use the mentioned code, so is not vulnerable to this ;-)

I know, the guy did say he didn't use ie for years.

Companies that don't have ESMT, Protection Mode enabled and are keeping IE Security zones updated via Group Policies and/or SCOM, well I guess those companies don't have any information worth securing. Loved the note where Adobe said the flaw exists in the Flash Player on ALL Platforms.

Bottom line is if criminals want information on your companies computers, no browser, OS or platform is going keep you safe if your users are stupid enough to click on a link.

This is why I said, use Firefox or Chrome. IE sucks like it did during old days. I never use IE and when I tried the font rending in IE on Windows 8 looks like crap.

Auditor said,
This is why I said, use Firefox or Chrome.

And again, it doesn't matter. They *all* have vulnerabilities. Each and every one of them. Pick one, doesn't matter. Look no further than Pwn2Own for example. They all were exploited to run arbitrary code. Instead of pointing fingers, try securing your system a bit better. EMET for example stops this cold.

Auditor said,
This is why I said, use Firefox or Chrome. IE sucks like it did during old days. I never use IE and when I tried the font rending in IE on Windows 8 looks like crap.

Actually I like the way IE renders pages. On a tablet, there is really no competition at all, IE11 by far the best.

Of course Chrome in itself is malware as it has a habit of providing Google with data, some of it not configurable. If you must suggest other browsers for a rare zero day vulnerability, Chrome is the worst suggestion, at the very least you could have suggested Chromium, which does not include Google's data mining code.

Yup. This announcement is like a déjà vu with IE6. IE is going to be for ever unsecured. Using Firefox and not returning to IE ever. Every download link is sent to Microsoft and their server verify/spy on the downloads to validate it's security risk. That in effect, whatever you download using IE, Microsoft will always downloaded same content to verify/validate the security of the content.

ie 10 and now 11 are far much better than any other browser out there, this is just the typical thing that happens unfortunately, all other browsers are the same when it comes to stuff like this, don't be thinking chrome and firefox or safari are any better.

Krome said,
Yup. This announcement is like a déjà vu with IE6. IE is going to be for ever unsecured. Using Firefox and not returning to IE ever. Every download link is sent to Microsoft and their server verify/spy on the downloads to validate it's security risk. That in effect, whatever you download using IE, Microsoft will always downloaded same content to verify/validate the security of the content.

Actually that feature isn't there to spy on you, it is for security purposes. And you can actually disable it completely.

I normally disable such thing; no matter what software I install. I only install the basic functionality and no other crapware or addons that is added to it as an option. Having said that, I believe I disable that security snooping on IE at the time but Firewall and HTTP log shows Microsoft did have access to the file that was being tested.

Krome said,
I normally disable such thing; no matter what software I install. I only install the basic functionality and no other crapware or addons that is added to it as an option. Having said that, I believe I disable that security snooping on IE at the time but Firewall and HTTP log shows Microsoft did have access to the file that was being tested.

*disables security features*
*complains that browser is insecure*

I would not consider that addon that Microsoft add to their IE as a needed security. I prefer to use my instinct on what I download. I don't download questionable exe files and execute it like no virus ever existed. Other browser do not download the content that I download. Not sure if Firefox is interested in gathering the info on what I download and then download the same file just to test for security for me. So I prefer that route better. That security is probably needed by the inexperienced PC user. So your taunt does not seem too valid to use on me.

Krome said,
Yup. This announcement is like a déjà vu with IE6. IE is going to be for ever unsecured. Using Firefox and not returning to IE ever. Every download link is sent to Microsoft and their server verify/spy on the downloads to validate it's security risk. That in effect, whatever you download using IE, Microsoft will always downloaded same content to verify/validate the security of the content.

Its really easy to protect yourself from this vulnerability. Just enable Enhanced Protection Mode. It used to be enabled by default.

Considering the US Government only uses IE this is sort of funny that "Homeland Security" is telling everyone not to use it.

Auditor said,
All those supporters of IE ranting that every other browser is insecure then I guess they did not get memo from US, UK govt and dept of homeland security to not use IE.
http://www.cnet.com/news/stop-...until-bug-is-fixed-says-us/

I am sure they have much more IT skills than these perception based supporters here.

To be fair, the suggestion of using an alternative browser is directed at XP users, because MS isn't supporting it anymore. If you have a newer version of IE, you can just turn on Enhanced Protected Mode and you're fine.

"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser."

TheGhostPhantom said,

Considering the US Government only uses IE this is sort of funny that "Homeland Security" is telling everyone not to use it.

They're not. They're telling unsupported XP users not to use it.

Auditor said,
All those supporters of IE ranting that every other browser is insecure then I guess they did not get memo from US

Instead of waiting for a memo, how about using your browser of choice and searching for relevant information.. takes all of two seconds. Each and every one of them has had critical vulnerabilities that allowed code execution.. no exceptions. (Even Lynx before somebody tosses that out there.) This isn't blind fanboyism (I personally don't use IE myself, Firefox user safely in a sandbox thanks) but if you refuse to look it up and if you want to confuse facts and "perception" and play the "Derp Microsoft everything else is better" card, then that's on you.

"I am sure they have much more IT skills than these perception based supporters here. "

First of all, professor, that article isn't suggesting that users switch to other browsers because they are inherently safer than IE; it's saying that this bug is so bad people should take the extraordinary step of not using IE until a patch is available (which it is).

Secondly, IE is a safer browser:

In 2013:

All versions of IE: 125 published vulnerabilities
(http://1.usa.gov/1keMFvP)

All versions of Firefox: 137
(http://1.usa.gov/1ry5oVV)

All versions of Chrome: 169
(http://1.usa.gov/1hKFXec)


Krome said,
I normally disable such thing; no matter what software I install. I only install the basic functionality and no other crapware or addons that is added to it as an option. Having said that, I believe I disable that security snooping on IE at the time but Firewall and HTTP log shows Microsoft did have access to the file that was being tested.

Of course they have, if they wouldn't the feature would not work.

Max Norris said,

Instead of waiting for a memo, how about using your browser of choice and searching for relevant information.. takes all of two seconds. Each and every one of them has had critical vulnerabilities that allowed code execution.. no exceptions. (Even Lynx before somebody tosses that out there.) This isn't blind fanboyism (I personally don't use IE myself, Firefox user safely in a sandbox thanks) but if you refuse to look it up and if you want to confuse facts and "perception" and play the "Derp Microsoft everything else is better" card, then that's on you.

IE11 with EMET has been going exploit free for a while now.

Lord Method Man said,

*disables security features*
*complains that browser is insecure*

complaining about the gun's safety, and than shooting oneself in the foot ;-P

Dutchie64 said,

complaining about the gun's safety, and than shooting oneself in the foot ;-P
I am not sure if you understand my post but that statement is so far off concerning what I've said.

So...once again...depends on the end user not being smart enough and to follow links blindly to a hackers site. It does and doesn't matter if this gets patched, people are their own worst enemy.

It's not simply a case of telling the end-user not to follow bad links or visit porn sites or something. Multiple legit sites (nytimes.com, washingtonpost.com, yahoo.com, etc.) have served up malware before. The malware writers know their best chance of hitting a lot of people quickly is thru the ad servers and they've done it multiple times.

30075 said,
It's not simply a case of telling the end-user not to follow bad links or visit porn sites or something. Multiple legit sites (nytimes.com, washingtonpost.com, yahoo.com, etc.) have served up malware before. The malware writers know their best chance of hitting a lot of people quickly is thru the ad servers and they've done it multiple times.

Ad Block Plus ftw?

Hmm reading the advisory, I don't see this being a huge problem.

I quote: "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.".

IE runs with a user token, so the damage that could be done is minimal, unless the user actually elevates.

Audien said,
Then you add a second exploit to elevate privileges.

No such exploit is currently known, and that would be much harder to pull off than it sounds. However, there are a lot of bad things that can be done without elevated privileges.

Audien said,
Then you add a second exploit to elevate privileges.

That isn't as simple as you make it sound, I forgot to say that IE's process is sandbox and has a very low priority, which makes it unable to access processes with higher priority due to Mandatory integrity control.

sjaak327 said,
That isn't as simple as you make it sound, I forgot to say that IE's process is sandbox and has a very low priority, which makes it unable to access processes with higher priority due to Mandatory integrity control.

I never said it was simple, nor did I say that known exploits exist. What you describe are mitigations, and by definition an exploit circumvents those mitigations.

I suggest you read up on FLAME and Stuxnet as they had different local elevation of privilege exploits for different versions of Windows. If you knew of them, you can certainly chain them to break out of sandboxes and own a system.