Microsoft on Tuesday issued a warning for users of Internet Explorer (IE) 9 and earlier, noting that malicious hackers are actively attacking a zero day flaw in its web browsers. The software giant will issue a patch for this flaw in the days ahead but is currently offering a workaround.
The issue doesn't affect IE 10, the version that will ship next month in Windows 8.
“Today Microsoft released Security Advisory 2757760 to address a targeted issue affecting some versions of Internet Explorer,” a Microsoft representative told me. “The Microsoft Security Response Center (MSRC) blog contains more information about the advisory and some customer guidance.”
According to Microsoft, it has received reports of only a small number of targeted attacks so far. But the firm recommends deploying the Enhanced Mitigation Experience Toolkit (EMET) in order to prevent being exploited. This toolkit won't affect the usability of websites, Microsoft says.
If deploying EMET isn't an option, Microsoft recommends temporarily configuring IE to use the High setting for its Internet and local intranet security zone. This will help prevent exploits but will affect usability, so users might also need to add known-good websites to IE’s Trusted Sites zone. Users should also consider configuring IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
That’s a lot of work. But zero day vulnerabilities are particularly dangerous because they occur in the wild before patches are made available. This one was first reported over the past weekend by security contributor Eric Romang, and a security blog he contributes to now recommends that users switch to other browsers, such as Chrome or Firefox, until a security update becomes available. (That said, I’m not sure how much I trust a security blog that misreports IE 10 browser as IE 6. Just a thought.)