Internet Explorer Exploit Discovered (April 2014)
Update at end of article.
Microsoft has announced what they refer to as a “zero-day exploit” threat that can affect those using the Internet Explorer web browser.
Zero-day essentially means that there is no patch (fix) available or even being developed when the threat was found.
An exploit is a threat that is much more dangerous than traditional malware. Malware relies on a user falling for a trap and installing malicious software on their computer, whilst hoping the antivirus software doesn’t pick up on it. An exploit, well, exploits a vulnerability in the user software (in this case Internet Explorer) and thus does not rely on a user falling for such a trap.
In fact this exploit can take effect just by a user merely navigating to an affected webpage. Whilst malware would need a user to download harmful files (or give them permission to download), the exploit does not require this.
If a user visits an affected webpage, it can potentially give a scammer the ability to execute code onto the user’s computer. That is not good.
At the time of writing, there is no patch available, but it shouldn’t take long, so make sure you install all of those Windows Updates when prompted to in the upcoming days. Until then be especially careful on what websites you choose to visit, if you use Internet Explorer (versions 6-11).
Naked Security has outlined some steps you can take to protect yourself from the threat until then which many cautious users may want to take (you’ll need to turn on Prompts for Active Scripting, instructions provided via the link meaning when you visit a website that uses Flash then you’ll be prompted for permission to run the webpage content.)
Or of course if you don’t already, you can opt to use another Internet browser, like Firefox or Chrome.
And for those XP users? If you’ll remember correctly, XP has no security updates coming, since it’s now unsupported. Meaning this is the first major security flaw that XP will [probably] never be protected against. For those users, you’ll need to unregister a DLL file called VGX. Don’t worry, Naked Security have instructions on how to do that as well on the same webpage.
(And just a reminder for those XP users, these flaws get discovered all the time, and for every one that gets uncovered, that’s another hole in an already sinking ship called XP. So it may be time to start seriously thinking about changing that operating system! Sorry!)
Update:
Microsoft have opted to release an “out-of-cycle” patch for this vulnerability. This means that security patch has been released earlier than “Patch Tuesday” (the second Tuesday of each month when Microsoft usually release their updates) All users are recommended to install the patch update as soon as possible. Go to Control Panel and Windows Update to download and install all pending updates.