Knocking on the door of the recent Firefox vulnerability, Microsoft chimes in with a warning of its own. This time, it’s the old dinosaur Internet Explorer that Microsoft says is actively being exploited in the wild and for which there is no current fix. So, if you are one of those that still insists on using Internet Explorer, which is certainly not advised, this news is for you.
Even though Microsoft has stated a patch will be released for this, they are in no big hurry. As of writing, there is a possibility it will be in the next Patch Tuesday update. However, it’s strongly advised that you use a different browser as your default. If you are still insisting, limit your use of IE for the time being and until that fix is released. When it is, apply it immediately. If you are so inclined, Microsoft has listed some workaround and mitigation on its advisory. One tip is to run IE in Enhanced Security Configuration. More can be found in Security Advisory ADV200001 or CVE-2020-0674.
This is a remote code execution vulnerability, which means someone could take over the device and use whatever permissions the user has. If that user has administrator rights, the attacker can do some serious damage, including installing programs, viewing or changing data, and creating new accounts with full administrator rights.
All supported versions of Internet Explorer are affected. Some versions are at more critical risk than others, but all are serious. Some versions, generally those earlier than version 9 are not supported. So, even if they are affected, any fix that does get released likely won’t be for those older versions.
Microsoft has stated that this is being actively exploited in targeted and limited attacks, not on the general public, which is some comfort. More positive news…it can only be exploited if an older DLL is still installed. That one has since been replaced with a new one in versions IE10 and IE11. That said, if it’s required by a website, the older one can be loaded and used. It is also still used on IE 9 and earlier.
In addition to using some other browser besides IE, always be on the lookout for phishing in your email inbox. There is some suspicion that this vulnerability is executed when someone clicks a malicious link in an email message. So, if you’re not 100% confident in any link or attachment in your email, don’t click it. And whatever you do, don’t click anything if you don’t know the sender or are not expecting to receive something. This simple technique is the best defense against most cybersecurity attacks.