Homeland Security: No 'Practical Solution' to Internet Explorer Bug

The U.S. Department of Homeland Security (DHS) said it is "currently unaware of a practical solution" to the Microsoft (MSFT) Internet Explorer (IE) Web browser vulnerability identified by FireEye Research Labs. How can managed service providers (MSPs) avoid problems due to this security flaw?

Dan Kobialka, Contributing writer

April 29, 2014

2 Min Read
The US Department of Homeland Security DHS said it is quotcurrently unaware of a practical solutionquot to combat the Microsoft MSFT Internet Explorer
The U.S. Department of Homeland Security (DHS) said it is "currently unaware of a practical solution" to combat the Microsoft (MSFT) Internet Explorer (IE) Web browser zero-day exploit identified by FireEye Research Labs.

The U.S. Department of Homeland Security (DHS) said it currently has no idea how to combat the Microsoft (MSFT) Internet Explorer (IE) Web browser zero-day exploit discovered by FireEye Research Labs. In fact, DHS is recommending IE administrators and users “consider employing an alternate browser” until the bug is patched.

“We are currently unaware of a practical solution to this problem,” the DHS’s U.S. Computer Emergency Readiness Team wrote in Vulnerability Note VU#222929.

FireEye first identified the IE zero-day exploit on April 26 and said hackers can use it in targeted attacks against IE users. The vulnerability affects IE6 through IE11, but hackers are reportedly targeting IE9 through IE11 users. According to NetMarketShare.com, about 55 percent of PCs run IE6 through IE11, and roughly 25 percent run either IE9 or IE10.

Hackers are using the IE vulnerability as part of “Operation Clandestine Fox,” FireEye said. This security bug allows hackers to lure IE users to a website containing an Adobe (ADBE) Flash file that enables a hacker to run a program within IE. Meanwhile, the Flash file corrupts a computer’s memory and allows an attacker to take over a victim’s computer.

“[Hackers are] essentially inserting this malicious code onto a website, and if you happen to visit that website at the time when that malicious code is there, your computer is at risk,” Satnam Narang, a security response researcher at Symantec (SYMC), said in a prepared statement.

So what can managed service providers (MSPs) do to minimize or mitigate this IE vulnerability? To date, Microsoft has issued Security Advisory 2963983 to assist IE users, but has yet to patch the bug.

“We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing anti-malware software,” Microsoft wrote in its security advisory.

In addition, Microsoft is investigating the vulnerability and said IE users running Microsoft software should install the latest Microsoft security updates to make sure their computers “are as protected as possible.”

But for now the safest course of action is to use alternative browsers, security experts say.

About the Author(s)

Dan Kobialka

Contributing writer, Penton Technology

Dan Kobialka is a contributing writer for MSPmentor and Talkin' Cloud. In the past, he has produced content for numerous print and online publications, including the Boston Business Journal, Boston Herald and Patch.com. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State College (now Bridgewater State University). In his free time, Kobialka enjoys jogging, traveling, playing sports, touring breweries and watching football (Go Patriots!).  

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like