Experts at SophosLabs have raised their threat level to “High” in response to an as-yet unpatched security vulnerability in Internet Explorer.
The zero day threat, which was uncovered at the weekend and impacts most versions of Windows, has already resulted in the German government advising users to stop using Internet Explorer.
The rise in the SophosLabs internet threat barometer comes in response to in-the-wild detections that the team has seen in attacks exploiting the CVE-2012-4969 vulnerability in Microsoft’s popular web browser.
SophosLabs defines various threat levels from “Low” to “Critical”, based upon the prevalence of malware, spam and web threats, and intelligence regarding new vulnerabilities.
Judged on its own, SophosLabs rates the Internet Explorer vulnerability as critical – but the seriousness of the threat means that our experts rate the threat level on the net as a whole as “high”.
At the time of writing, Microsoft has only published details of temporary workarounds to reduce the chances of computers being exploited by the vulnerability, but it’s clear that the ideal solution would be an official patch for Internet Explorer.
The good news is that Microsoft is working on a fix.
Yunsun Wee, a communication director at the Microsoft Security Response Center, has said that the company plans to release a “Fix It” within the “next few days”.
"The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won't require a reboot of your computer"
If you can’t wait for a fix, or if you don’t like Microsoft’s suggested mitigation workarounds, then the only sensible option is to use another browser.
Unfortunately, that’s not an easy option for companies in particular to take.
(Customers should note that Sophos products protect against the vulnerability detecting attempts to exploit it as Exp/20124969-A – however, we would still recommend that IE users apply the security patch as soon as it is released by Microsoft).
Pressure meter image from Shutterstock.
5 comments on “Threat level goes HIGH, as Microsoft readies fix for critical Internet Explorer security hole”
That M$ have known of this for four months already and not released a patch is seriously worrying.
It is yet another reason why, in my view, MS should have been made to disconnect IE from all Windows OSs. That way we could be safer by uninstalling IE and using other browsers which may be more secure. Other operating systems can manage perfectly well without having something as flawed as IE built in, though all have some form of communications method to receive updates, etc. But it seems they are less (?) vulnerable to security errors and flaws.
Windows 7 allows the user to uninstall Internet Explorer and remove it from the OS if they wish. Here is an article that explains how to remove the pre-install IE 8 from Windows 7:
Microsoft is not unique in bundling their browser with their OS. Apple do the same with Safari in Mac OS X. Since Apple fixed 163 flaws in iTunes with the recent 10.7 update (which also relies on the Webkit rendering engine, the same as Safari), you could also take the same view that Apple should also allow its user to remove Safari.
Since everyone has the choice to use the browser they wish and uninstall IE from Windows, I don't see the problem.
Well no software is perfect. While it may 'seem' others are less vulnerable, it just may mean they hide their issues more. Microsoft works on patches and releases them. Thats how future maintenance for software works in IT. No one has a crystal ball.
Sorry, but I am not tech-savvy yet have so many (dumb) questions about this that I don't know where to begin.
1. How is this malware spread? Is there a semi-obvious sign, such as a Flash update pop-up that appears on your screen? Or can you get the malware just by using IE?
2. How would the technologically-dense person know if he has the malware? If he had stupidly used IE in the day(s) BEFORE he read this article, should he err on the side of caution and assume that his computer is infected?
3. If your computer is infected, should you flatten and rebuild (clean wipe) your computer and then avoid IE until Microsoft releases a stable security patch (not just the quick fix that's mentioned here)? Or will the stable security patch (hopefully) completely remove the malware and so eliminate the need to flatten and rebuild your infected computer?
4. Can current antivirus software prevent the malware from loading on your computer, even if you've clicked on something (e.g., a pop-up masquerading as a Flash update) or used IE?
"Unfortunately, that's not an easy option for companies in particular to take."
This is an understatement, to say the least. Everyone who posts things like "Who uses IE anymore?" is totally disconnected from the business world. Here, we are locked in to decisions made a long time ago when it was decided to put browser front ends on applications, even before the mass movement of applications to the "Cloud". (Don't even get me started)
As far as universal adherence to standards that would have made true browser choice a reality, that train left the station years ago. We may get closer to it going forward but it will be a long time after it is theoretically possible before vendors update their applications so that we aren't forced to continue on using IE8 in order to fully access all functions of the vendors applications.