In a security advisory released late last week, Microsoft warns users of limited, targeted attacks attempting to exploit a vulnerability in Internet Explorer 6 through Internet Explorer 11, although the attack is only targeting IE9 through IE11.
The vulnerability has not been patched and is considered a significant zero-day virus as the vulnerable versions of IE represent about a quarter of the total browser market. We recommend applying a patch once available.
To read the details of how this exploit can occur, see this article.
What you can do to protect your computer:
- One mitigating factor is to download and install Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a free tool that can strengthen security on Windows. Note that EMET 3.0 does not mitigate the attack, and users should rely on EMET 4.1. Krebs on Security discusses EMET here.
- Because the attack will not work without Adobe Flash, disabling the Flash plugin within IE will prevent the exploit from functioning.
- According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default. This article show how to enable EPM in IE.
- The fourth option is to use another browser until a patch has been released.
UPDATE AS OF 5/1/14:
Today Microsoft issued an out-of-band patch to fix a vulnerability in Internet Explorer 6 through 11. The zero-day exploit (CVE-2014-1776) was identified in targeted attacks against Internet Explorer 9 through 11 earlier this week.
Microsoft advises to download the security bulletin as soon as possible through Windows Update. For details on the patch see: MS14-021 : Security Update for Internet Explorer (2965111)
MIT WAUS has pushed the patch out to subscribers. Although a patch for IE on Windows XP was included in this fix, it is unlikely that the software company will do this again. Microsoft reminds customers still running Windows XP to upgrade to Windows 7 or 8 now.
Be sure to also use anti-virus software. Sophos Anti-Virus, available for free from the software download page, protects against this virus.
For further reading, See the story: Microsoft issues Internet Explorer security fix.