A serious security flaw was identified on April 26 that affects all versions of Microsoft Internet Explorer (IE). As a result, the U.S. Department of Homeland Security (DHS) is advising Americans not to use IE until a fix is found. Microsoft has confirmed that it is working to fix the code that allows IE versions 6 through 11 to be exploited by the vulnerability.
The security flaw, known by its creators as "Operation Clandestine Fox" allows malicious hackers to get around security protections in the Windows operating system when a user visits a compromised site that contains infected code. Rather than directly reaching out to a victim, the hackers inject their code into a "normal, everyday website" that then infects the user's computer. This tactic is known as a "watering-hole attack".
Because the hack uses a corrupted Adobe Flash file to attack the victim's computer, users can avoid it by turning off Adobe Flash, specifically by disabling the Adobe Flash plug-in in Internet Explorer.
Computer users who are running the Windows XP operating system will not be eligible for a security update to fix this problem as Microsoft discontinued support of XP on April 8, 2014
Actions to take to mitigate the IE vulnerability
Contact your LAN Administrator or desktop support to make sure you are complying with agency policy and to determine whether you are authorized or technically enabled to take the following steps:
-
Until fixed, use another browser, including Chrome. Chrome must be at version 34.0.1847.131 or higher.
-
If you can't switch browsers:
- Do not visit untrusted websites or websites you are not familiar with. Hackers "poison" random sites that execute the malware on your system.
-
Disable the Adobe Flash Plug-in:
- On the IE toolbar, click on "Tools">"Manage add-ons". Under 'Add-on Types", select "Toolbars and Extensions" in the left-hand frame. In the main frame, if you see Adobe Flash, highlight that and then click the "Disable" button near the bottom of the screen, then "Close".
-
Run Internet Explorer with Protected Mode enabled:
- On the IE toolbar, click on "Tools">"Internet options". On the next screen. Click on the "Security" tab at the top. On the next screen, select "Enable Protected Mode" if not already checked. Select "OK".
- Run all software as a non-privileged user (one without administrative privileges). If you are not sure what this means, contact your LAN or system administrator to confirm.