Internet Explorer Vulnerability Makes Browser Switch a Good Idea

A grave and widespread vulnerability in the application makes the argument for switching to a different browser about more than just aesthetics.

by Justin Dennis, McClatchy News Service / April 30, 2014

It’s something tech-savvy grandchildren have warned their elders about for years: Microsoft’s Internet Explorer has long been ridiculed as a “lame duck” Web browser, although version 11 was a step in a more modern direction.

Now, a grave and widespread vulnerability in the application makes the argument for switching to a different browser about more than just aesthetics.

The United States Computer Emergency Readiness Team (CERT) identified the security flaw and published a report Saturday.

The flaw allows Internet Explorer versions 6 through 11 to be exploited remotely, possibly causing a complete compromise of a user’s machine.

More than half of all computers run Internet Explorer, according to market share data.

Hackers can exploit the bug through Adobe Flash, according to CERT, and they’ve already begun taking advantage of it.

“Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows (address space layout randomization) to be bypassed via a memory address leak,” reads the report on the CERT website.

“This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.”

After getting a user to view an HTML document – either through an email attachment or soliciting a phony website and inviting users to click – online ne’er-do-wells can execute code affecting their system without detection or security flags. The vulnerability allows hackers to bypass Windows authentication because their code is hiding behind existing memory addresses.

An intruder would have the same administrative rights as the user who was duped, according to Microsoft. So, child users who may have restricted system access would make less of an impact if pinched by exploiters.

Although Microsoft has not yet fixed the vulnerability, there are myriad workarounds. For starters, users can simply install a different browser. The two most popular options are Google Chrome and Mozilla Firefox.

Most browser- and client-based email applications, including Microsoft Outlook, Outlook Express, Windows Mail, Google Mail and Mozilla Thunderbird, open HTML attachments securely, disabling scripting functionality that could be used maliciously. Not all email applications do this, however. The sound advice is to be more vigilant of suspicious emails or links to potentially malicious websites.

According to cybersecurity firm FireEye Inc., IE users can also enable “Enhanced Protected Mode” to break the exploit or simply disable the Adobe Flash plug-in in their browser, but this greatly limits the online content users will be able to view.

Instructions on employing any of these solutions can be found on the right sidebar.

According to Microsoft, any Internet Explorer version being used on a system that is running the Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 operating systems is, by default, safe.

©2014 The Tribune-Democrat (Johnstown, Pa.)