04-29-14 | Blog Post
The U.S. Department of Homeland Security released a vulnerability note stating Microsoft Internet Explorer “contains a use-after-free vulnerability” that can “allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.” The security flaw was first detected by FireEye Research Labs.
Homeland Security said in an advisory that the zero-day flaw in versions 6 to 11 of IE could lead to “the complete compromise” of an affected system and recommended “employing an alternative Web browser until an official update is available.”
Microsoft has responded, saying:
On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
The impact is potentially great. FireEye estimates 26 percent of the entire browser market is at risk. NetMarketshare claims Internet Explorer accounts for roughly 58 percent of the world’s desktop browsers.
The IE flaw emerged just weeks after the public discovery of Heartbleed, a flaw in the design of an encryption tool that runs on as many as two-thirds of all active websites. (Online Tech Senior Product Architect Steven Aiello offered his take on Heartbleed in a local media report.)
In its report, Reuters news service noted that the IE bug is “the first high-profile computer threat to emerge since Microsoft stopped providing security updates for Windows XP earlier this month.” That means PCs running the operating system will remain unprotected, even after Microsoft releases updates to defend against it.
To combat future exploits, learn more about deploying various technical security software to create a multi-layered, defense in depth solution that can protect your databases, web servers, sensitive data and more.
Resources
Reuters: US, UK advise avoiding Internet Explorer until bug fixed
