Affected by a 0-day fault, Microsoft’s Internet Explorer will receive a corrective patch while an update is developed.
In versions 6 to 9, Internet Explorer suffers from a critical vulnerability currently exploited by attacks that spread via the Poison Ivy malware, a Trojan horse backdoor. The exploit has been detected by numerous security products.
Microsoft has confirmed this in a security bulletin by detailing ways of avoiding the fault from being exploited. For the Internet and Intranet zones, the software giant recommends blocking ActiveX controls and Active Scripting by changing the setting to Maximum security in IE’s options (Security options in options).
To prevent this from being exploited, Microsoft is looking at freely deploying their EMET tool (Enhanced Mitigation Evaluation Toolkit).
The issue has been widely covered in the media, with German authorities taking the threat seriously by recommending that all users stop using Internet Explorer until a corrective patch has been produced by Microsoft.
This isn’t the first time that the Federal Office of Information Technology Security (BSI) has made such a recommendation. This was the same recommendation made in the past when a browser is affected by a 0-day fault.
Other countries are recommending user’s follow Microsoft’s recommendation and apply the EMET tool.
Facing such criticism, Microsoft has provided a few additional details, promising a corrective patch in the coming days. This will be a Fix it to be applied by the user and not something that is delivered by Windows Update – although this will come later. With this Fix it, Microsoft has assured users that they will have complete protection.
Microsoft declares "While we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online."
With a Fix it, the risk is that novice users won’t apply it and they will be at risk of exploitation.