The Redmond Giant has issued a critical security advisory in the interest of Internet Explorer users. Reports are in that, a security vulnerability in all supported versions of IE has been let loose.
What is the Vulnerability?
In its official security advisory, Microsoft has reported the vulnerability to be a remote code execution (RCE) vulnerability. This security flaw has been labelled as “CVE-2013-3893”. Given the fact that, this vulnerability has no available patches at the moment, it is a zero-day security flaw.
Note: A zero-day security flaw is one that gets exploited by hackers before any security patches are released to fix it.
What are the affected Versions of IE?
Internet Explorer 6, 7, 8, 9, 10 and 11 are the affected versions.
According to the company, incidents of malwares exploiting the vulnerability in IE 8 and IE 9 have already been reported. Users must understand that, this does not imply that the other IE versions are any safer.
Is there any Fix?
Although Microsoft has not released any security patch, it has released a temporary Fix it solution called “CVE-2013-3893 MSHTML Shim Workaround”. As the name suggests, this solution is only a workaround (temporary patch), and is not a cure for the underlying problem. Until an official security patch is released, this workaround will help prevent attackers from exploiting the vulnerability in the affected versions of IE.
Follow this link to apply the Fix it patch.
Note:
The Fix it patch only applies to 32-bit versions of IE. For those using 64-bit IE, they would have to wait until Microsoft releases an appropriate software update. In the meantime, they are advised to use browsers other than IE.
Users of 64-bit IE can also install Microsoft’s Enhanced Mitigation Experience Toolkit. This toolkit can be used to tweak Windows security technologies, and reduce the risk of attacks. However, PC novices may find it difficult working with this toolkit. Even users who are tech-savvy are recommended to follow the User’s Guide before putting this toolkit into use.
Thus, most experts have recommended that users are better off surfing the Internet with an alternative browser, until a permanent patch for the vulnerability comes in.
How does an Attacker use the Vulnerability?
As mentioned, this vulnerability can allow an attacker to gain remote access of the victim’s computer. How damaging this remote code execution can be, depends on the user rights the user is logged on with. For instance, if the victim is logged on as an administrator, then the attacker can gain the same user rights can get complete control of the system.
How is the IE Vulnerability Exploited?
The IE vulnerability can be exploited only with the help of malicious websites designed by the attacker. And for this, the attacker must trick or convince the victim to visit the site. For this, the attacker may send the victim an email containing a link to the website, or an email attachment that redirects the user to the website. In some cases, websites that allow users to add content, are also used by hackers to exploit the vulnerability.
Note: Microsoft has announced that, its server platforms are not susceptible to this vulnerability. By default, Internet Explorer on Windows Server platforms runs on restricted mode. This mode prevents a normal user and even an administrator from downloading malicious websites that are capable of exploiting the vulnerability.
Recommended Measures
We recommend users to consider taking the following measures, to cut the risk of the CVE-2013-3893 vulnerability:
- Use other browsers such as Firefox, Chrome, Safari, etc.
- Do not run your administrator rights for everyday tasks like browsing.
- Use Quick Heal Safe Browsing feature for surfing the Internet.
- Keep an eye out for any security updates by Microsoft to fix this vulnerability.
For a more detailed report on the IE vulnerability, you can read this official security advisory, released by Microsoft. We will keep our readers updated about any further developments on this matter. Let’s hope Microsoft does not take too long before releasing a complete fix.