Zero-day exploit targets IE; some researchers advise switching browsers

Some security experts are urging individual and enterprise users running Internet Explorer to switch to another browser for now, in the face of a new zero-day exploit affecting IE.

Security researcher and blogger Eric Romang discovered a new zero-day exploit over the weekend that targets multiple versions of IE, which runs on about 40 percent of the computers in North America.

Microsoft, in an advisory, said the vulnerability affects Internet Explorer 6, 7, 8 and 9 (but not IE 10) running on just about any Windows operating system. But the company noted that on Windows Server 2003, 2008 and 2008 R2, the browser runs in a restricted configuration that mitigates the vulnerability.

Related coverage:

Time to give up on Java?

Not surprisingly, Microsoft does not recommend switching from IE. It recommends installing the Enhanced Mitigation Experience Toolkit, a limited support utility that helps prevent exploitation of vulnerabilities but which is available only in English. It also recommends setting Internet security settings to high to block ActiveX controls and Active Scripting. A full patch is expected sometime in the next week.

Meanwhile, some in the security community are recommending that users abandon the popular IE browser, at least until a fix is available.

“Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available,” recommended Metasploit, developer of the open-source penetration testing tool. “The exploit had already been used by malicious attackers in the wild before it was published.”

The exploit can download the code to a vulnerable computer visiting a malicious Web site.

The news comes just weeks after a zero-day exploit for Java 7 hosted on the same server raised the question of whether the risks of running Java outweighed the benefits. Oracle addressed that vulnerability with an unusual out-of-cycle patch, but the popularity of Java with hackers and its ubiquity in browsers had many in the security community recommending that it be at least turned off in the browser, if not removed from computers.

The Java flaw was being exploited by a hacker group apparently based in China, which Symantec had dubbed the Nitro gang, that in 2011 had attacked systems in the chemical industry and some defense contractors, researchers said. Romang said the IE exploits were possibly from the same group.

So is it time to get rid of Internet Explorer? There are those who have long advocated for other, supposedly more secure, browsers who undoubtedly will say yes. Microsoft still has a commanding market share, with IE 9 claiming a quarter of the North American market as of August, and IE 8 about another 14 percent. But Chrome has a strong 21 percent and Firefox comes in with about 14 percent, according to StatCounter global stats.

As long as Microsoft continues to lead the browser market, IE is likely to be a popular target for attackers. For the short term, dropping IE might make sense for you, as long as it isn’t more trouble to replace browsers in your enterprise than it is to patch them. But you never know for sure just how secure a commercial product is until it has been subjected to a trial by fire, and if other browsers replace IE, they are likely to feel the heat.