Earlier this month, it became known that there are zero-day vulnerabilities in both the Microsoft Edge and the latest version of the Microsoft Internet Explorer browsers. A researcher discovered the flaw and privately reported it to Microsoft. However, when the giant didn’t respond, he released the information publicly. If this particular vulnerability is exploited, it could allow a malicious actor to intercept information on the computer, such as login session and cookies from other sites visited; including financial websites, your income tax websites, or anything else where you might enter personal information.
First, what is a zero-day vulnerability? It’s an issue with the software that doesn’t have a patch or workaround, so there is really nothing anyone can do about it other than be on the defensive. In this case, someone wanting to take advantage of this would have to successfully get a user to go to a malicious website and enter information into it. And that could be done through phishing.
Phishing is a social engineering technique. It happens when someone sends email, calls on the phone (vishing), or texts (smishing) and attempts to get the intended victim to provide sensitive information to them. If it happens in email or text, usually it’s from a link or attachment. If it’s via telephone, they just try to convince the recipient to tell them information they want. Often they ask for social security numbers, try to get payment card information, or ask for other details that can be used for fraud or sold on the Dark Web.
The vulnerability in question here involves violating the Same Origin Policy (SOP). Typically there is protection against this in the browsers, which ordinarily prevents websites from accessing (or stealing) information from each other unless the domain is the same. This hole defeats that protective functionality.
Always keep software and apps updated with the latest patches and versions. In the case of Microsoft Internet Explorer, well… it’s outdated and will soon go into the “end of life” pile and therefore, no longer will be supported. That means if you’re still using it, you are leaving your devices open to exploits. This is because patches won’t be released for unsupported products.
As for phishing, just don’t open attachments or links unless you are expecting them, know the sender, AND are as certain as possible that they’re safe. If in doubt, call the sender to verify. If you get a phone call and are asked for personal information, don’t give it to them unless you initiated the call, know it’s legitimate for them to ask, and are expecting the call. Remember that government organizations, including the IRS, won’t initiate communication with you via email or phone. It always starts with a letter that comes in the U.S. Mail.
When you get that infamous indication or email that a patch or update is available for your Microsoft browsers, don’t hesitate to apply it. That’s your protection against the exploits targeted at this vulnerability as well as others.