0

Microsoft has released YAIESA, or Yet Another Internet Explorer Security Advisory if you prefer. This time, SA2757760 warns about a new zero-day out there in the wild which impacts all users of Internet Explorer 9 and earlier versions. It's the usual case of targeted attacks being spotted which could lead to the remote execution of malicious code if you happen to view an infected website.

dweb-ie9rip Although users of Internet Explorer 10 are not affected according to Microsoft, which accounts for a tiny minority of IE users of course, this does amount to what I see as the final nail being hammered into what has already become quite a creaky web browser client coffin of late; and here's why.

Microsoft has issued a number of 'workarounds and mitigations' that can be deployed to protect users. There's the 'Enhanced Mitigation Experience Toolkit (EMET)' for starters. Or a temporary patch, to you and me, which requires a fair bit of configuration fiddling to be of any use. Fiddling such as, and I hope you are sitting down with a cup of tea and some time to spare, the following:

Changing your Internet and local intranet security zones to the high setting in order to block ActiveX Controls and Active Scripting, which Microsoft admits will hit you in the usability stakes so further recommends you add trusted sites to your trusted sites zone. Quite how you are expected to know what sites can be trusted not to have been infected by the zero-day exploit is, frankly, beyond me. Microsoft hasn't finished yet though, also recommending that users of Internet Explorer should configure it to prompt before running Active Scripting (or even disable Active Scripting in the aforementioned zones) which, it adds, will once again disrupt your using of sites that are not in the trusted zone. Deploying the Enhanced Mitigation Experience Toolkit (EMET) is also recommended, but tough luck if you do not speak English as it's only available in that language.

I have some difference advice which is a lot simpler, and guaranteed to be effective against this particularly serious zero-day threat: stop using Internet Explorer and switch to Chrome, Firefox or Safari instead.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

7
Contributors
7
Replies
9
Views
5 Years
Discussion Span
Last Post by mobb.deepghana
0

Just back in May they discovered 16 zero days in Chrome, so how is it safer?

1

Chrome's 16 zero days were patched within 24 hours AFAIK. I didn't have to do anything. Safer? Probably not at the time of testing. After? How many IE users out there have gone through the steps mentioned above? I don't know, just curious.

Despite the safety aspect, why the hell anybody would be using IE out of choice is beyond me. My school has just moved over to Chrome from IE - years too late IMO. Dominoes fall, dominoes fall...

Votes + Comments
true dat :)
0

run microsoft windows malicious software tool... took off a trojan from my ie and it stated working !!

0

Malicious software removal tool is almost as pathetic as IE is. Also doesn't it seem odd that this thing seems to always happen just when Microsoft is trotting out a new version of IE. IMHO they could really care less about producing a browser that is secure. It seems to be about being "shiny and bright". What ever happened to a browser being just plain FUNCTIONAL? To hell with all the bells and whistles and "Decision Engines" and Google trying to play Big Brother with their tracking everybody and everything.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.