Yet another “zero-day” has surfaced, and this time it revolves around one of the most popular web-browsers: Internet Explorer.
Discovered by Romang, a Luxemborg-based IT security advisor, the malware can worm its way into computers running fully-patched Windows XP SP3, along with the latest editions of IE 7, 8, and 9. Internet Explorer 10 is not affected, but neither is it safe, due to the vulnerabilities in its embedded Adobe Flash player.
In its security update, Microsoft is advising users to use the Enhanced Mitigation Experience Toolkit (EMET) to prevent the zero-day exploit from working. In addition, users are told to set their Internet and local intranet security zone to “High” to block ActiveX controls and Active Scripting from running, or configure it to prompt before executing.
Adobe Flash has issued a patch to address the critical flaws that pave the way for zero-day, however, the version of Flash imbedded in Windows 8’s Internet Explorer 10 is still vulnerable to attack. Windows 8 hasn’t officially launched yet, and Microsoft’s initial response was to delay the update until after October 26 when Windows 8 becomes available to the general public.
PC World spoke to the Director of Microsoft Trustworthy Computing, Yunsun Wee, about this: “In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers.”
“This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible.”
The software, Java, is another culprit in this zero-day saga. The Internet Explorer exploit also relies on vulnerabilities present in Java to access computer systems. That means any computer that has Java installed is at risk. Equally, computers that don’t have Java are safe against Metasploit-based exploits.
Most computer users are not even aware of what Java is for, let alone use it. So if you can do without it, it is strongly recommended that you uninstall Java right now.