A bug in all versions of Internet Explorer leaves anyone using IE in conjunction with the Windows Operating System (more than 40% of Internet users in North America according to StatCounter) vulnerable to infection by Trojan horse viruses. In a Security Advisory released by Microsoft on September 17, 2012, Microsoft explains that “an attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” meaning the hacker could control your system remotely.
While Microsoft promises that they’re working to develop a patch to close the browser vulnerability, I urge Internet Explorer users to immediately switch to Google Chrome or Mozilla Firefox, at least until a fix is released. This could be as soon as a few days, or it may take several weeks.
IT Security Advisor Eric Romang detailed the security hole in a blog he posted over the weekend of September 15th. He came upon the flaw while researching a hole in the software code of Java exploited by the hacker group “Nitro Gang” to execute a series of targeted malware attacks against chemical and defense industry companies.
The bug allows hackers to infect a compromised computer with malware that makes Windows vulnerable to “drive-by” attacks. These allow viruses and malware to infiltrate your system by simply visiting a malicious or infected website. Once infected, the usual advice of “don’t run any executable files or install any programs” isn’t sufficient – your browser is, in essence, re-programmed to welcome malware.
While hackers have already used the browser vulnerability to launch attacks (most notably the “Poison Ivy” Trojan found embedded in emails masquerading as meeting requests and software updates) the public release of the code as well as widespread acknowledgement of the hole is sure to spur increased activity by virus and malware writers. Simply running an up to date anti-virus program isn’t enough to keep your system protected.
Microsoft recommends that users run a “Fix It” solution entitled “Prevent Memory Corruption via ExecCommand in Internet Explorer” that re-configures browser settings to prevent exploitation of the hole. It can be found via their support site. This is a workaround, not a patch.
Alternatively, Microsoft suggests installing their Enhanced Mitigation Experience Toolkit (EMET) 3.0, a program that adds protections against software vulnerabilities. Information and download links are posted to their support forum.
The EMET 3.0 software is designed for enterprise IT professionals, so basic users may encounter difficulty when attempting to manually configure protections. An easier solution is to stop using Internet Explorer until Microsoft has produced and distributed a patch. Download and install an alternate browser such as Google Chrome or Mozilla Firefox.
Chrome has some notable advantages over Firefox. It utilizes “sandboxing,” a protocol that isolates tabs from the rest of your system. If you encounter an infection or piece of malicious code in a tab it simply closes the affected tab and kills the process, leaving your system and remaining tabs unmolested. Chrome also blocks plug-ins from installing software or running scripts without user interaction. Users that visit websites that run active code (such as online games or payment calculator sites) will also benefit from Chrome’s integrated “Just-in-time” (JIT) hardening. JIT blocks malicious code hosted on web pages from running on your system.
If you are a loyal Firefox user, you are certainly safer in this regard than those using Internet Explorer. Increase your protection from malware by keeping your antivirus software up to date and installing the Firefox plug-in “HTTPS Everywhere.” It lets you browse over 1,000 websites securely by encrypting the information on the page, making it nearly impossible for a hacker to recreate passwords, emails or personal data you provide while online.
On Friday, September 21st, Microsoft issued an emergency patch to rectify the vulnerability in Internet Explorer. If you don’t have automatic updates enabled, download and install the Windows security update from http://technet.microsoft.com/en-us/security/bulletin/ms12-063 before surfing the net with Internet Explorer.