Managed WAF

New Zero-Day Vulnerability found in Internet Explorer: Targeting Versions 6 to 11

Posted DateMay 2, 2014
Posted Time 3   min Read

New critical zero-day vulnerability found in Internet Explorer 6 to 11- this is the news that we woke up to, this Monday. This vulnerability affects versions of IE from 6 to 11, although exploits available in the wild currently target versions 9 to 11. That is more than 50% of the world’s browsers, as Internet Explorer 9 to 11 constitute about 26% of the world’s browsers. This is a zero-day vulnerability as there are already exploits in the wild and no patch available yet, although one can take measures to avoid getting hacked.

This news comes in wake of the Heartbleed vulnerability that affected OpenSSL a widely used SSL implementation on the internet — a vulnerability that affected almost 2/3rd of websites not to mention SSL clients, and network gear also. The vulnerability affects all Windows Operating Systems from Windows XP onwards as the above browsers are available in these OSes. Now, given that Microsoft has stopped supporting XP and will refuse to make a patch available for this vulnerability for XP, those still using XP will be left in the lurch.

Fix for Internet Explorer’s zero-day vulnerability

The vulnerability can be exploited via malicious sites that are visited via a vulnerable browser or via attachments sent by email. Microsoft is working on a fix, but it is not yet ready. As of now, the following measures can be taken for Operating Systems others than XP to avoid the vulnerability:

  1. Turn on Enhanced Protection Mode (EPM) — this facility is available only for IE versions 10 and 11, disable flash plugin, or download and install Microsoft’s Enhanced Mitigation Experience Toolkit version 4.1
  2. Other measures include not to use Internet Explorer at all. Use Chrome, Mozilla, Opera, Safari or some other browser. As Microsoft is not going to come up with a fix for XP for this, the best way out is to upgrade from XP to a newer OS. Some third parties might come up with XP fixes, but we have to wait and see to be sure.

Personally, I use Internet Explorer to access a US government website. May US Federal websites either require or recommend the use of the Internet Explorer browser. As a result, I have no other option but to use Internet Explorer and use the above fixes. I cannot move to Chrome or Mozilla for the above purpose.

Can you check if you are affected by this critical vulnerability?

As of now, I do not see a site where one can go and check if one is affected or download something that will automatically do configuration changes to your IE so that you are secure. But watch out – it is not unrealistic to expect such sites/services to come up soon, given that more than 50% of browsers on the Internet are affected by this vulnerability.

The bigger concern overall is the huge productivity loss due to time that is going into deploying patches or playing catch up with these vulnerabilities and keeping oneself secure. Is there a way out?

In this particular case, the best option would be to dump XP and move onto the latest Windows OS – that is Windows 8. Other than that, we can only wish for a silver bullet that will come up sometime in the future that will save us the huge productivity losses from dealing with these vulnerabilities.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.