Wednesday, April 30, 2014

Microsoft Internet Explorer Vulnerability ~ Fact and Opinion


As you have most likely heard, Microsoft is scrambling to fix a major bug which allows hackers to exploit flaws in Internet Explorer 6, 7, 8, 9, 10 and 11. The company has also confirmed it will not issue a fix for web browsers running on Windows XP after it formally ended support for the 13 year old operating system back on April 8th.

The vulnerability was discovered by cyber security software maker FireEye Inc. which stated the flaw is a ‘zero-day’ threat. This means the first attacks were made on the vulnerability before Microsoft was aware of it. FireEye also revealed a sophisticated hacker group has already been exploiting the flaw in a campaign dubbed ‘Operation Clandestine Fox’, which targets US military and financial institutions.

FireEye spokesman Vitor De Souza declined to name the hackers or potential victims as the investigation is ongoing, only telling Reuters: “It’s unclear what the motives of this attack group are at this point. It appears to be broad-spectrum intel gathering.”

For its part Microsoft has confirmed the existence of the flaw in an official post: https://technet.microsoft.com/library/security/2963983

Now, Internet Explorer has always been a vulnerable browser and has exploits created/identified against it everyday. This is why for YEARS I have pushed my customers to use an alternative Web Browser such as Mozilla Firefox or Google Chrome. As previously mentioned, both of those web browsers are safer to use than Internet Explorer and are both immune from the recently identified exploit!

What makes this recent vulnerability stand out from the others, and why this particular vulnerability is making all the headlines, is that the problem is pretty widespread; affecting 1 in 4 Windows based computers and ALL Windows XP systems.

A Temporary Fix
While Microsoft rushes to fix the bug, FireEye gave concerned users two workarounds .
  1. Use another web browser other than Internet Explorer
  2. Disable Adobe Flash. “The attack will not work without Adobe Flash,” it said. “Disabling the Flash plugin within IE will prevent the exploit from functioning.”
*Adobe has released a new patch/update for their Flash Player! Allow the Flash Player to update or manually download and install the latest version here: http://www.adobe.com/support/flashplayer/downloads.html

No Hope For Windows XP
Microsoft has confirmed that no fix will be rolled out for Windows XP because support has officially ended and there are no plans to make an exception. It states:

“An unsupported version of Windows will no longer receive software updates from Windows Update. These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information.”

The company’s advice to Windows XP users has remained the same for some time: upgrade to Windows 7 or 8 or buy a new PC. It has also repeatedly sent a pop-up dialog box to reachable Windows XP machines with the following end of support notification.

For users unsure whether their existing XP PCs can support Windows 8, Microsoft offers a software tool called ‘Windows Upgrade Assistant’ which can be downloaded here: http://go.microsoft.com/fwlink/p/?LinkId=321548

If you have any questions or concerns please don't hesitate to get in touch!

Jon Pienkowski
Pacific NorthWest Computers
www.pnwcomputers.com
360-624-7379