Microsoft Internet Explorer has a new security flaw, and it appears to have already been exploited with malicious intent.
What does this mean for you? Well, nothing, if you're part of the large majority of internet users who avoid that particular browser. But if your Dad is part of the 7.5 percent or so of Internet Explorer fans out there, we've got some evidence that might persuade him otherwise.
Here's what happened, and just how bad it is.
New Security Flaw exposed in Internet Explorer
The news comes from US-CERT, a branch of cybersecurity within Homeland Security. Last Friday, it revealed the vulnerability in a blog post, calling it a “memory corruption vulnerability,” which makes it possible for a “remote, unauthenticated attacker to execute arbitrary code.”
A scripting engine within IE is to blame, and any applications that supports an embedded version of Internet Explorer or an embedded version of that scripting engine component is vulnerable.
What's the potential impact of this exploitation?
“By convincing a user to view a specially crafted HTML document (e.g., a web page an email attachment), PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code.”
The use of the word “may” is a little coy: That same CERT post comes right out and explains that the vulnerability “was detected in exploits in the wild.” In other words, hackers are already taking advantage of it, targeting Internet Explorer users.
If there's a solution, it's one that CERT is “currently unaware” of.
What Has Microsoft Said?
Microsoft has issued an update in response, although it might not make you feel much better. Here's the relevant question on a short Q&A they posted about this particular bug.
Is there an update to address this vulnerability?
No, Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.
CERT pointed out the vulnerability on the 17th, just missing Update Tuesday by three days — meaning that Microsoft is giving itself nearly a full month to address the issue. Users could remain vulnerable until Feb 11th.
Don't worry, they called the actual attacks happening during that time “limited.”
How Can I Protect Myself?
Our first and main advice here? Stop using Internet Explorer.
The issue here isn't so much the security vulnerability, even if it is a big one. The problem is Microsoft's snail-paced response time, which indicates they aren't prioritizing support for their long-in-the-tooth browser.
Swapping to a new browser shouldn't be too difficult, as most people have already done so. According to the watchdog stats site W3Counter, as of last month, just 7.5% of internet users picked Internet Explorer or Edge as their browser of choice. That's a steep drop from its 13.2% market share just four years earlier.
Chrome is by far the most popular option, while Safari is also ahead of Microsoft's browsers. Firefox — while a clear underdog with just 5.5% of the web browser market — is one of the more secure options, and a great pick for data-conscious browsers.
Finally, if you're truly attached to a Microsoft browser, go with Edge — it may not be the fastest, but it's more secure than Internet Explorer and, as of 2015, is Micosoft's main browser.