Zero-day exploit targets IE; some researchers advise switching browsers

Some security experts are urging individual and enterprise users running Internet Explorer to switch to another browser for now, in the face of a new zero-day exploit affecting IE.

Security researcher and blogger Eric Romang discovered a new zero-day exploit over the weekend that targets multiple versions of IE, which runs on about 40 percent of the computers in North America.

Microsoft, in an advisory, said the vulnerability affects Internet Explorer 6, 7, 8 and 9 (but not IE 10) running on just about any Windows operating system. But the company noted that on Windows Server 2003, 2008 and 2008 R2, the browser runs in a restricted configuration that mitigates the vulnerability.


Related coverage:

Time to give up on Java?


Not surprisingly, Microsoft does not recommend switching from IE. It recommends installing the Enhanced Mitigation Experience Toolkit, a limited support utility that helps prevent exploitation of vulnerabilities but which is available only in English. It also recommends setting Internet security settings to high to block ActiveX controls and Active Scripting. A full patch is expected sometime in the next week.

Meanwhile, some in the security community are recommending that users abandon the popular IE browser, at least until a fix is available.

“Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available,” recommended Metasploit, developer of the open-source penetration testing tool. “The exploit had already been used by malicious attackers in the wild before it was published.”

The exploit can download the code to a vulnerable computer visiting a malicious Web site.

The news comes just weeks after a zero-day exploit for Java 7 hosted on the same server raised the question of whether the risks of running Java outweighed the benefits. Oracle addressed that vulnerability with an unusual out-of-cycle patch, but the popularity of Java with hackers and its ubiquity in browsers had many in the security community recommending that it be at least turned off in the browser, if not removed from computers.

The Java flaw was being exploited by a hacker group apparently based in China, which Symantec had dubbed the Nitro gang, that in 2011 had attacked systems in the chemical industry and some defense contractors, researchers said. Romang said the IE exploits were possibly from the same group.

So is it time to get rid of Internet Explorer? There are those who have long advocated for other, supposedly more secure, browsers who undoubtedly will say yes. Microsoft still has a commanding market share, with IE 9 claiming a quarter of the North American market as of August, and IE 8 about another 14 percent. But Chrome has a strong 21 percent and Firefox comes in with about 14 percent, according to StatCounter global stats.

As long as Microsoft continues to lead the browser market, IE is likely to be a popular target for attackers. For the short term, dropping IE might make sense for you, as long as it isn’t more trouble to replace browsers in your enterprise than it is to patch them. But you never know for sure just how secure a commercial product is until it has been subjected to a trial by fire, and if other browsers replace IE, they are likely to feel the heat.

Reader Comments

Wed, Sep 19, 2012

The German government's Federal Office for Information Security urges public to stop using Internet Explorer. It issued the warning as a researcher said he found evidence that suggests the hackers who exploited the flaw were seeking to attack defense contractors. See http://goo.gl/lY4PZ

Wed, Sep 19, 2012

It is not only time to switch the browser, its time to get rid of all MS-Products - at least for government-agencies! This last IE-flaw is no flaw - it is a well developed back-door!!

Tue, Sep 18, 2012

Dave Marcus, Director of advanced research and threat intelligence with Intel Corp's McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool. "For consumers it might be easier to simply click on Chrome," Marcus said. Internet Explorer was the world's second-most widely used browser last month, with about 33 percent market share, according to StatCounter. It was close behind Google Inc's Chrome browser, which had 34 percent of the market. See http://goo.gl/sNZpZ

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above