US-CERT to Americans: Stop browsing with IE
- 29 April, 2014 07:00
The U.S. government's top cyber-security agency is telling Internet Explorer (IE) users they should consider running a different browser until Microsoft fixes a critical vulnerability.
The U.S. Computer Emergency Readiness Team (US-CERT) added its voice to the growing chorus of security organizations and companies that have warned people of the flaw, which affects IE6, IE7, IE8, IE9, IE10 and IE11.
US-CERT is part of the U.S. Department of Homeland Security, and regularly issues security warnings and threat alerts.
"US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative Web browser until an official update is available," the agency said in a Sunday statement.
EMET refers to "Enhanced Mitigation Experience Toolkit," an anti-exploit utility that lets customers beef up security defenses on select applications.
Windows XP users are especially at risk to exploits of this IE vulnerability, because they will not receive patches for IE6, IE7 or IE8. Microsoft will be writing patches for all three versions, but will not offer them to Windows XP customers; it terminated support for the 12-year-old OS on April 8.
Security experts had warned Windows XP users that they would be targeted by hackers after support ended. They believed that cyber criminals would quickly find flaws by examining Microsoft's patches -- using a before-and-after code comparison -- in those products, like IE, that continue to receive updates on other editions of Windows.
"This happened a bit quicker than I expected, but it is a sign of things to come," said Wolfgang Kandek, chief technology officer of Qualys, in a Monday blog. "Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems."
Kandek was talking about another suggestion from Microsoft, that users deregister the "vgx.dll" file. That .dll (dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows.
"VML is only infrequently used on the Web, so disabling it in IE is the best way to prevent exploitation," Kandek contended.
Instructions for deregistering vgx.dll can be found in Microsoft's security advisory for the IE vulnerability.
US-CERT rarely goes as far as to recommend that Americans switch browsers because of a bug, but it has done so in the past. Last month, for example, the organization said Windows XP users would be safer if they stopped running IE.
Both Google's Chrome and Mozilla's Firefox run on Windows XP, and will receive security fixes until at least April 2015.
US-CERT's vulnerability notice for the IE flaw was published Sunday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.