There’s lots of reports around today about a new vulnerability discovered affecting Microsoft’s web browser, Internet Explorer versions 6, 7, 8 and 9 running on Windows XP, Vista and 7. For the moment it seems that Internet Explorer 10 running on Windows 8 is not affected, however only those in the business and the geeks and egg-heads are likely to be using Windows 8.
If you just want to know what to do and don’t care about the terms and technicalities, just skip down to “What should I do?” now.
What is a “zero-day” vulnerability anyway?
The term zero-day refers to the amount of time that the developers of the affected software (in this case Microsoft as the developers of Internet Explorer) are aware of the problem before it is made public. Many security researchers will notify developers privately if they discover a new vulnerability before publishing their results to the wider community. This gives the developers a chance to provide a solution to the problem before the “bad guys” start using it.
However sometimes a vulnerability becomes public without any prior warning to the developers. This may be due to the discoverer being a researcher who simply publishes or sells results, rather than following a more responsible notification process. This approach may well be taken due to the financial rewards it may provide the researcher.
Or it may be that the discoverer is a “bad guy” himself and the first the public or the developer knows about the vulnerability is when malware (maybe a trojan, worm or virus) is found “infecting” computers in the general community. This appears to be the situation with the threat being reported on today.
What’s the risk?
This particular vulnerability can allow the attacker to have access to your computer equivalent to your own level of access. That means for your own computer they can probably do just about anything they want. If you’re on a company computer and don’t have full access (for example you may not be allowed to install software on it) this restriction may apply to the attacker as well. However, many attackers will be happy with this depending on what they want to do, or they may use this as a first step and use a different vulnerability to gain full access once they have limited access. The reports today suggest that the “bad guys” have adapted previously available tools to use the newly discovered vulnerability and now that the news is out this process will be much easier for the next “bad guy”.
How do I know if I am at risk?
Well, the simplest way to answer this is that if you use a Windows computer (rather than a Mac or something else) and you’re not sure then you probably are at risk. If you already use Chrome or Firefox or another safer browser, then you’re not affected by this particular vulnerability. If you’re not sure what browser you use it is almost certainly Internet Explorer.
What should I do?
The simplest way is to avoid using Internet Explorer. Click here to get Google’s Chome web browser. Follow the instructions there to download and install it and use that to look at web pages instead of Internet Explorer.
You may find that some specialised sites are fussy and only work correctly in Internet Explorer. If you need to use a site like this and it won’t work right in Chrome, then use Internet Explorer for just that site and do all your other web browsing in Chrome. As always, for security sensitive sites such as online banking, sites where you are buying online and your work webmail make sure you ALWAYS type the address yourself. DO NOT use shortcuts, favorites, bookmarks and especially never trust a link in an email, no matter how genuine it looks!
Microsoft, of course, have different advice. They suggest you install what they call their Enhanced Mitigation Experience Toolkit v3.0. However, this does not really correct the problem. It just turns up the paranoia settings in Internet Explorer so it warns you and asks permission every time any web page tries to do anything automatic. This will generate a flurry of warnings for users to answer and will probably stop many legitimate sites from working correctly, so it’s not the best solution. However with no time to act it’s about all they could do.
Hopefully Microsoft will come up with a better solution soon, however, so as always make sure you have automatic updates turned on and you allow them to install when they want to.
Of course you should make sure you keep all other relevant software up to date. Make sure you have a current and reputable anti-virus package installed (such as Kaspersky Antivirus 2012) and check that it is updating correctly and automatically. Also install updates to Adobe Reader, Adobe Flash and Sun Java when they ask. If you haven’t seen them ask lately then they may not be configured correctly to check for updates, If you’re not sure about any of this then ask for help from someone suitable. If you are a customer of GC Support (or you want to be) then ask me!