In The News‎ > ‎

Internet Explorer Bug

posted Jun 2, 2014, 11:51 AM by Craig Cox   [ updated Jun 6, 2014, 8:49 AM ]

April, 2014

Also called "Use-After-Free" bug (or vulnerability)
USA Today article about DHS recommending to avoid using IE
US-CERT advisory
Related article on Yahoo.
University of Delaware is also recommending that you don't use IE until a fix is made available.
Even though the bug is extremely dangerous, as of this writing (10:00am 4/29/2014) it still looks like you have to be lured to a compromised / hostile web page in order for the bug to be exploited. I therefore predict an uptick in click-the-link spam. Please review the anti-phishing material under 'Presentations', or contact me for the presentation if you haven't seen it yet.

Firefox download
Chrome download

Brian Krebs recommends using EMET to mitigate the problem. This is technically good advice, seconded by several in the Systems group. Microsoft EMET download link

Turning on IE's "Enhanced Protected Mode" may also mitigate the threat. To do this in IE, click the cog icon in the top right, select Internet Options, select the Advanced tab, scroll down to the Security section, and click the box for Enable Enhanced Protected Mode*". That asterisk means you have to re-boot the computer for the change to take effect. Re-starting IE isn't sufficient, apparently.

Neither of these mitigations is as safe as avoiding IE until Microsoft issues a patch, in my opinion. Note that my opinion is not universally shared.

Adobe Flash has a role in this vulnerability; some reports say that Linux users with Flash may also be vulnerable. Watch for the Adobe update notification, and allow updates when they are offered. Adobe has already issued its patch.