Microsoft confirmed this week that each and every supported version of Internet Explorer is impacted by a zero day vulnerability that allows hackers to install malware without detection. This means that Microsoft is only now aware of this hole in its software. About 26% of the browser market are at risk of attacks.
The vulnerability, CVE-2014-1776, was discovered by security firm FireEye. It uses a Flash-based “use after free” attack which defeats Windows security and damages memory safety, and this technique is well-known in the hacking world. Practically this type of attack leads users to fake websites and then corrupts data once memory is released. Hackers can create websites specifically for this purpose. The vulnerability is targeting versions 9 through 11 of IE now although all versions back to IE 6 are at risk. Microsoft indicated in its confirmation alert that it is only aware of “limited, targeted attacks” thus far.
Microsoft will inevitably provide some kind of patch for the vulnerability, although it hasn't yet. Right now there are two ways to handle the vulnerability. Microsoft tells those using IE to download and install the Enhanced Mitigation Experience Toolkit (EMET) 4.1, a free kit that enhances existing Windows security measures. Earlier versions of EMET do not stop CVE-2014-1776. FireEye indicates that users should run IE in Enhanced Protected Mode (available for IE10 and IE11 via the Internet Options settings) which includes AppContainer and 64-bit tabs. 64-bit processes guard against increases security on the desktop because 64-bit processes offer better protection against memory attacks.
Unfortunately, even when Microsoft does finally provide a patch, Windows XP users won't get it, and many of the fixes provided by EMET do not work in XP. This is just the first instance of what will be a recurring problem for XP holdouts. In case you think no one is left using Windows XP, think again. The XP “holdouts” group is no cadre of stragglers; it includes the IRS, for example. And this means that a large group of users who we all need to connect with regularly are subject to ongoing security risks.