UK, US govts advise computer users to stop using IE till bug fixed

29 Apr 2014

Computer users in the US and UK have been advised by their respective governments to consider using alternatives to Microsoft's Internet Explorer browser until the company fixed a security flaw that hackers used to launch attacks.

UK, US governments advise computer users to stop using IE till bug fixedThe Internet Explorer bug, the first high-profile computer threat to emerge after Microsoft stopped providing security updates for Windows XP earlier this month was disclosed over the week end.

According to the Department of Homeland Security's US computer emergency readiness team's advisory released yesterday, the vulnerability in versions 6 to 11 of Internet Explorer could lead to ''the complete compromise'' of an affected system.

In a similar advice to British computer users, the recently established UK national computer emergency response team said, that in addition to considering alternative browsers, they should make sure their antivirus software was current and regularly updated.

Interestingly, the British government has signed a deal worth $9.2 million with Microsoft to provide critical and important security updates for Windows XP, as well as Office 2003 and Exchange 2003 for the entire UK public sector for 12 months after 8 April, while the Irish government will pay $4.5 million for a similar support arrangement. (See: British, Irish governments to pay Microsoft to extend Windows XP support)

According to research firm NetMarketShare, Versions 6 to 11 of Internet Explorer dominated desktop browsing making up 55 per cent of global market share.

Security experts had long been warning Windows XP users to upgrade to Windows 7 or 8 before Microsoft ended support to it beginning of this month.

According to commentators, the threat that emerged over the weekend could be the wake-up call that could prompt the estimated 15 to 25 per cent of PC users who still used XP to dump those systems.

With the new remote code execution vulnerability, CVE-2014-1776, hackers could give themselves the same user rights as the current user (See:New zero day vulnerability in IE allows remote code execution).

In other words, successful attackers who infected a PC running as administrator would have a wide variety of attacks open to them such as installing more malware on the system, creating new user accounts, and changing or deleting data stored on the target PC.

Most PCs run under an administrator account.

The attacks are not theoretical and security firm FireEye had discovered the attacks being actively used in the wild. For these attacks to work, however, users would need to visit a malicious website attempting to install the code.

According to Microsoft, attacks could also come from "websites that accept or host user-provided content or advertisements" where an attacker could insert malicious code.

Microsoft had to decide yet whether it would release an emergency patch soon or wait for patch Tuesday on 13 May to repair supported versions of IE.