The U.S. Department of Homeland Security (DHS) said it currently has no idea how to combat the Microsoft (MSFT) Internet Explorer (IE) Web browser zero-day exploit discovered by FireEye Research Labs. In fact, DHS is recommending IE administrators and users "consider employing an alternate browser" until the bug is patched.
FireEye first identified the IE zero-day exploit on April 26 and said hackers can use it in targeted attacks against IE users. The vulnerability affects IE6 through IE11, but hackers are reportedly targeting IE9 through IE11 users. According to NetMarketShare.com, about 55 percent of PCs run IE6 through IE11, and roughly 25 percent run either IE9 or IE10.
Hackers are using the IE vulnerability as part of "Operation Clandestine Fox," FireEye said. This security bug allows hackers to lure IE users to a website containing an Adobe (ADBE) Flash file that enables a hacker to run a program within IE. Meanwhile, the Flash file corrupts a computer's memory and allows an attacker to take over a victim's computer.
"[Hackers are] essentially inserting this malicious code onto a website, and if you happen to visit that website at the time when that malicious code is there, your computer is at risk," Satnam Narang, a security response researcher at Symantec (SYMC), said in a prepared statement.
So what can managed service providers (MSPs) do to minimize or mitigate this IE vulnerability? To date, Microsoft has issued Security Advisory 2963983 to assist IE users, but has yet to patch the bug.
"We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing anti-malware software," Microsoft wrote in its security advisory.
In addition, Microsoft is investigating the vulnerability and said IE users running Microsoft software should install the latest Microsoft security updates to make sure their computers "are as protected as possible."
But for now the safest course of action is to use alternative browsers, security experts say.