Skip to main content

Originally published April 29, 2014 at 6:17 PM | Page modified April 30, 2014 at 6:27 AM

  • Share:
  • Comments (0)
  • Print

Feds advise skipping Internet Explorer until Microsoft’s fix

While Microsoft is working on a fix for a vulnerability in its Internet Explorer browser, the federal government is recommending that people use alternate browsers or put recommended workarounds into place.

Seattle Times technology reporter


Microsoft continues to work on a fix for a vulnerability in its Internet Explorer browser that cyber-attackers are already exploiting. In the meantime, the federal government recommended that people use browsers other than IE or put recommended workarounds into place.

The U.S. Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security, on Monday said the vulnerability affects IE versions 6 through 11 and “could lead to the complete compromise of an affected system.”

“By convincing a user to view a specially crafted HTML document (e.g., a Web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code,” CERT said.

This form of attack, known as “remote code execution,” allows attackers to execute code on a machine without the victim knowing about it.

CERT on Tuesday recommended that users and IT administrators deploy measures and workarounds recommended by Microsoft in a security advisory the company issued Saturday.

Those who can’t implement the measures should consider using alternate browsers, CERT said.

The U.K. government issued a similar advisory Monday.

Microsoft did not give an estimate for when a fix would be available, but did say it was investigating and that the attacks are limited and targeted.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security-update release process, or an out-of-cycle security update, depending on customer needs,” the company said in its security advisory.

Any fix Microsoft issues will not cover Windows XP, since Microsoft ended support April 8 for the nearly 13-year-old operating system and is no longer issuing security updates for it.

The IE vulnerability — and the fact that cyber-attackers are already exploiting it — was discovered Friday night by cybersecurity firm FireEye, which notified Microsoft on Saturday, said Kyrksen Storer, a FireEye spokesman.

FireEye had discovered attacks on IE 9 to 11, while Microsoft subsequently found the vulnerability involves all versions of IE from 6 to 11.

Though statistics on browser usage can vary from company to company, one of them — NetMarketShare — says IE 6 to 11 represents about 56 percent of the desktop browser market share.

Since the investigation is ongoing, FireEye declined to say much about who the attackers are and who they’re targeting, other than to say they appear to have aimed their efforts at a limited set of people for a specific purpose.

FireEye added that the group responsible “has been the first group to have access to a select number of browser-based zero-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“Zero-day exploits” are when cybercriminals exploit previously unknown vulnerabilities in software before the weaknesses can be patched.

Earlier, FireEye had said the targeted attacks seemed to be aimed at U.S.-based firms tied to defense and financial sectors, according to a Reuters report.

Nonetheless, cybersecurity experts are warning consumers, as well as businesses, to take cautionary measures.

“Because of how widespread the vulnerability is, ... consumers should be mindful of their browser settings if they use Internet Explorer and follow Microsoft’s guidance for mitigating the issue as they wait for a patch,” said FireEye’s Storer.

Now that the vulnerability is known, “there are cyber-attackers — criminals — in a race to write their own attack tools and attack even the average consumer,” said Aviv Raff, chief technology officer of cybersecurity firm Seculert.

Microsoft, in a blog post, said its Enhanced Protection Mode, which is on by default in IE 10 and 11, and its Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, should provide protection.

“We also encourage you to follow the ‘Protect Your Computer’ guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software,” the blog post says.

“Additionally, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.”

Janet I. Tu: 206-464-2272 or On Twitter @janettu.

Four weeks for 99 cents of unlimited digital access to The Seattle Times. Try it now!

News where, when and how you want it

Email Icon

Relive the magic

Relive the magic

Shop for unique souvenirs highlighting great sports moments in Seattle history.



The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Activate Subscriber Account ►