On Saturday, April 26th, Microsoft announced that they had found a bug in their somewhat popular web browser Internet Explorer. This bug, which has not yet had the privilege of being branded with a catchy Heartbleed-esque name, affects Internet Explorer versions 6-11, versions which more a half of the PCs on Earth run. Though IE’s popularity has significantly lessened in recent years it still comes standard on a huge variety of PCs including, of course, every one that Microsoft sells. Now, the U.S. Department of Homeland Security is urging internet users to steer clear of IE until its current issues have been resolved. They strongly recommend switching to another browser, one of IE’s competitors like Chrome or Firefox, while Microsoft continues to look for a solution. Oddly, the stance they’ve taken publicly seems borderline casual, saying in an official statement that they will “take appropriate action… which may include providing a solution through our monthly security update release process or an out-of-cycle security update, depending on customer needs.” In other words, there’s a major bug which they are responsible for which effects 55% of PCs and the users which operate them, and they’ll get around to fixing it sometime this month. As such, the Department of Homeland Security’s suggestion seems entirely reasonable.
What is This Bug Exactly?
Microsoft calls the bug a “remote code execution vulnerability” and says that it “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user.” Basically, that means that a hacker could use the bug to enter and execute any code they wish to while inside your system which, in short, means that they could use this so-called “vulnerability” to completely take over your computer. They could view any data it contains and then edit or delete that data as they see fit. They could install malicious programs on your computer. They could even create an account on your system which could give them full user rights on your machine, allowing them access to absolutely everything. If that sounds a lot more horrifying in my words than it does in Microsoft’s that’s probably due to the fact that they’re trying to implement a little damage control.
What Caused This Bug?
According to Microsoft, it was a “vulnerability [that] exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.” When pressed for more information on what that statement might actually mean they chose not to grant it.
Am I at Risk?
If you use or have extensively used Internet Explorer in the past this bug puts you at risk. However, in order for hackers to exploit the IE vulnerability they need a way in to your system. As such, a hacker would need to craft a malicious site or link which, when accessed, would grant them an entryway into your system. So basically, if you’ve ever clicked on a link or showed up at a website that you didn’t fully trust while in IE you’re in danger.
Is a Solution on the Way?
Microsoft is working on a fix for IE versions 6-11, but they recently stopped supporting Windows XP (as of about a month ago) and as such they will not be providing a solution for users who access the web using that particular browser. Their decision to ignore XP has proven to be somewhat controversial, mainly because 15-25% of PC users still use XP on a daily basis. Windows is telling those users to update to a more recent version of IE, once the fix has been completed of course, but those on older computers which cannot run a more recent version are pretty much out of options, unless they want to buy a new computer or, perhaps, switch to a different browser.
What effect has this bug had so far?
Honestly, we don’t know. Once again, Microsoft is being very vague here, saying that they’ve been made aware of “limited, targeted attacks” against “US-based firms currently tied to defense and financial sectors.” Who’s been attacked? How many attacks have been confirmed? What were the nature of these events? Microsoft won’t say. We have learned that hackers are calling the campaign Operation Clandestine Fox, which I think is just fantastic. What are their motives? Microsoft says that they’re unclear, just like everything else about this bug, but that they appear to be focused on “broad-spectrum intel gathering.” In other words, they’re stealing information, but we don’t know what information or why. As for how long they’ve been exploiting it, that’s unknown at this time. Microsoft’s not saying how long this vulnerability has been present in IE, so for all we know it very well might have been there from the start.
When Will This Problem Be Resolved?
As for when it’ll be resolved, their official stance is basically, as I previously stated, “we’ll get to it when we get to it.” That being said, some preventive measures have been taken. Microsoft is quick to point out that those running Internet Explorer on Windows Server 20003, 2008, 2008 R2, 2012 and 2012 R2 don’t have to worry about this problem at all, as browsers on those servers already run in a “restricted mode.” Microsoft recommends that users who can do so implement Enhanced Protection Mode (usable for those with Windows 7, 8 or RT and IE 10 and 11), though they say this is not an actual solution, just a way of tipping the odds in your favor. The bug’s still out there, but EPM makes it more difficult for hackers to utilize on your system. At the time of this writing the issue has still not been resolved.
Currently, Microsoft seems to be doing all it can to preserve the reputation of Internet Explorer. Their vague language makes the issue seem less pressing than it really is, and their casual stance is tailor made to keep the potential panic of IE users at bay. However, the truth is that this bug puts every IE user at tremendous risk, and the fact that Microsoft isn’t shouting that fact from the rooftops at this point is pretty deplorable. Sure, there’ll be a fix in time, and Microsoft’s doing what it can to make IE safer for as many users as possible, but “safer” isn’t the same thing as “safe.” Right now, it really is in your best interest to follow the advice of the Department of Homeland Security and switch to another browser. IE is simply not secure right now, and if you’re using an older computer which runs XP it might never be again in your case. Keep an eye on Microsoft, as I’m sure they’ll announce the solution as soon as its finalized and approved, but do yourself a favor and do it from a different browser, at least for now.