Microsoft (MSFT) has published a workaround for the Internet Explorer (IE) Web browser zero-day vulnerability identified by FireEye Research Labs. The workaround includes instructions on channel partners can protect the two most recent versions of IE.
Full details about the workaround are available in Microsoft Security Advisory 2963983. In addition, Microsoft is collaborating with Microsoft Active Protections Program (MAPP) partners to safeguard customers against the flaw.
FireEye released information about the IE zero-day exploit on April 26. Hackers reportedly can use this vulnerability to take over an IE user's computer.
"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," Microsoft wrote in Security Advisory 2963983.
According to FireEye, the IE security flaw affects IE6 through IE11, but hackers are targeting IE9 through IE11 users as part of "Operation Clandestine Fox," an ongoing series of targeted attacks against IE users.
"We believe this is a significant zero-day [exploit] as the vulnerable versions represent about a quarter of the total browser market," FireEye wrote in a blog post.
Despite the workaround, managed service providers (MSPs) and customers are still at risk. For now, Microsoft is encouraging IE users to apply all software updates, enable firewalls and install anti-malware software.
However, Chris Camejo, director of assessment services at NTT Com Security, said following Microsoft's instructions could be more trouble than it's worth. Because IE users would likely need to change their settings on each affected system, Camejo believes it would be easier for MSPs to wait until Microsoft releases a security patch.
"Given the complexity and impact of Microsoft's workarounds, I suspect many organizations are just going to wait until the patch gets released and hope they don't get breached in the meantime," Camejo told USA Today.