It has been an exciting month for computer users. First the Heartbleed bug and now a Microsoft Internet Explorer (IE) exploit has been discovered. This vulnerability covers versions 6 through 11 of Internet Explorer. In case you do not want to read all of this, we will first tell you what you can do to be protected until Microsoft can patch Internet Explorer, and then we will give you more details about the Internet Explorer exploit.
If you use Microsoft’s Internet Explorer, the safest action is to use a different web browser until Microsoft patches the vulnerability. Other web browsers, e.g., Google Chrome and Firefox, are not affected.
Microsoft has offered a temporary user fix for Internet Explorer versions 10 and 11 only (no current fix for versions 6 – 9), but this is not automatic. Users have to go into the tools menu and implement it themselves. And, like many security documents, this Microsoft advisory can be a bit confusing to those without a lot of technical experience. Or, you can avoid using Internet Explorer other than to download another browser such as Firefox or Chrome (click on links to download).
Here is an illustrated guide for the fix (excerpted from Forbes.com, Magid, “Illustrated Guide To Microsoft's Defense On Latest Internet Explorer Security Flaw”):
1. First, make sure you can see the menu bar in Internet Explorer. It looks like this:
2. If you don’t see the menu bar, press the Alt key on your keyboard, or right click above the address line and then click on Menu bar in the box that comes up:
3. Click on Tools, and then Internet options (at the bottom):
4. Click on the Advanced tab.
5. Check “Enable Enhanced Protected Mode” if you are running Internet Explorer 10, or for Internet Explorer 11 select both “Enable Enhanced Protected Mode” and “Enable 64-bit processes for Enhanced Protected Mode” (if available).
6. Click Apply/OK and restart your computer.
Make sure you get Windows updates automatically
Make sure you have automatic updates turned on so you’ll get the real fix when Microsoft finally releases it. Here’s how to check if you have them turned on.
More Details on the IE Exploit
The zero-day exploit was discovered on Saturday, April 26, 2014. Microsoft explained the vulnerability on their website:
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
If you would like a more detailed explanation, please go to the FireEye website. FireEye is the group that discovered the exploit. Their web address is:
We will update this issue as revisions become available.
Magid, Larry. “Illustrated Guide To Microsoft's Defense On Latest Internet Explorer Security Flaw.” http://www.forbes.com/sites/larrymagid/2014/04/30/illustrated-guide-to-microsofts-defense-on-latest-security-flaw-or-avoid-internet-explorer-altogether. 30 April 2014.