Here we go again. Right now, there is a known, zero-day vulnerability being actively used to exploit users of Internet Explorer 6 through its current version (IE 11). This means that the bad guys were able to find a vulnerability and take advantage, while the “good guys” scramble to catch up. Unfortunately, with Microsoft’s disavowing of XP, this is likely one of many exploits that will allow an attacker access to your Windows-based OS. Here’s what you need to know.
The vulnerability? Sound.
The name? Operation Clandestine Fox.
Attackers lure you to a website specifically designed to execute the hack via Flash video. Attackers are able to bypass Microsoft’s built in protection (DEP). Through the sound itself they take over whatever is in memory. From there they can take over and gain access to underlying files. Depending on what you have loaded, this may include access to passwords, accounts, account names, and more (technical description at this site.)
What To Do
The problem is, as I write this article, Microsoft does not have an answer for this. They are providing the following work-a-rounds if you wish to continue using (or are forced to use) Internet Explorer.
1. If you are running server floors of IE, Microsoft claims that you can simply run Internet Explorer with ‘Enhanced Security Configuration’
2. If you are running supported (that feels like a very loaded word, especially when Microsoft uses it) versions of Outlook Windows Mail, AND you have not modified any settings regarding opening your emails…Microsoft says you are OK….UNLESS you violate email user security 101 and click a link to a site looking to compromise this security vulnerability.
3. Microsoft says not to worry if you, somehow, some way, are able to operate in your Windows experience as a reduced privilege user. Since this is a memory based exploit, you could very well have sensitive information stolen. I feel like this is a stretch, as there is no way to know what programs are in memory at the time of a successful exploit.
4. Don’t click the link….Microsoft says, don’t click the link. What link? They don’t know. Maybe don’t click any links in IE until they patch?
There is a #5. Don’t use IE. Maybe you can’t quit IE just yet. Of course, it came pre-installed on your PC. Of course it gets the job done. Of course! …But maybe (say it like Louis C.K. does)…take this opportunity to ‘explorer your options’.
But let’s face it- every browser could have and will have security vulnerabilities. Right now, IE is the problem- even prompting Homeland Security to call the vulnerability a “complete compromise.” Sounds super awesome.
Read these tips on browsing the web safely. Expect the best, but prepare for the worst. But for the love of all things Holy- Avoid using IE until Microsoft does SOMETHING about it. (Work arounds don’t count.) Good luck out there.
So tell me, do you use IE?