Security Experts: Stop Using Internet Explorer

John Lister's picture

The United States Department of Homeland Security (DOHS) has warned that users should switch away from Internet Explorer until a serious bug has been fixed. It's the first big security scare since Microsoft stopped supporting Windows XP earlier this month.

The bug doesn't have a glamorous nickname and is instead simply known as CVE-2014-1776. When triggered, the bug allows for remote code execution, which means a third party would have full control over a remote PC without the need for credentials or consent from the PC owner.

By clicking on a malicious link or by visiting an infected website, a PC running Internet Explorer can become instantly compromised and/or infected by a malware payload. Payloads usually result in access to and tampering with confidential data (including credit card fraud or identity theft), holding the computer's data for ransom, turning the PC into a spamming botnet, or worse.

Currently no Fix for Internet Explorer, but Manual Workarounds Exist

The bug is due to a fundamental flaw in Internet Explorer itself rather than a one-off coding error. The problem affects every edition from Internet Explorer 6 (the first browser update released for Windows XP) right through to the current Internet Explorer 11.

At the moment, there's no fix for CVE-2014-1776; as such, the bug is also known as a zero-day exploit. Microsoft has not yet decided whether any such fix will be released as an out-of-cycle update (commonly called an 'emergency patch') or as part of the next scheduled monthly update on the second Tuesday of the month, known as Patch Tuesday.

Microsoft has detailed a series of workarounds for the various editions of Internet Explorer and Windows. The extent of these workarounds vary from edition to edition, with users of Internet Explorer 10 and 11 on 64-bit editions of Windows able to access the most effective protection. The workarounds don't stop the problem but limit the ability of hackers to take advantage. (Source: microsoft.com)

Because the workarounds vary so much, Microsoft is not able to issue a hotfix, which is effectively a program to automate a temporary patch. Instead, users must manually change browser and Windows settings to apply their own workaround.

US Government Suggests Switching Browsers

The US-CERT team, which deals in computer security at the Department of Homeland Security, has issued official government guidance about the issue:

"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser." (Source: us-cert.gov)

That advice is backed by several independent security experts, who go as far as to say that anyone who still uses Windows XP should ditch Internet Explorer permanently. Microsoft finally stopped issuing any form of security update for XP early this month.

Microsoft has specifically said that when it fixes this new bug, it won't be issuing a fix for XP users. It's a significant moment as some security analysts wondered if Microsoft would stick to its word when such an incident occurred.

What's Your Opinion?

Do you still continue to use Internet Explorer, or have you already switched to another web browser? Are you a Windows XP user and will this incident persuade you to upgrade to a later edition of Windows? Do you think Microsoft is right to stick to its deadline of ending XP support, or do you believe it has a responsibility to protect the system while it is still so widely used?

Rate this article: 
Average: 5 (4 votes)

Comments

DavidFB's picture

I've never used IE as a web browser. Started with Netscape. Use Firefox these days, with several security plugins.
I only use XP in a virtual machine for very old software, not browsing.

Given how soon this is after the end of XP support, that its a zero-day, and that its in the browser they'll have to fix in other versions, I think they should offer an XP fix. Otherwise, this has the potential to be a major issue with massive numbers of compromised PC's.

It's called taking car of your children, even if they have left home.

It's like the virus problem. If ISP's had taken some responsibility early on, it never would have developed that individual PCs would need AV protection as it never would have developed like that.

ClemsKreb's picture

The only reason Internet Explorer is on my computers is its too hard to delete it!!!! I initially used what came with AOL, but as soon as I could BUY a copy of NETSCAPE 2.1, I used Netscape right up through I believe Version 9.0. I currently am using Opera or Safari for Windows. I know if Microsoft was forced to BUNDLE ALL Browsers with every new computer sold, IE would account for less that 10% of the market and Netscape might still be around.

DavidFB's picture

Microsoft is updating IE, even for XP.
http://www.infoworld.com/t/microsoft-windows/one-the-road-microsoft-patches-windows-xp-sa-2963983-241737

NOTE - even if you don't use IE, you should update it because it is closely integrated with the OS.