US agency advises move away from Internet Explorer unless businesses find security flaw workarounds

Out-Law News | 29 Apr 2014 | 12:56 pm | 1 min. read

An IT security agency within the US government has warned businesses should not use Microsoft's Internet Explorer (IE) web browser unless they can work around a security vulnerability.

The Computer Emergency Readiness Team (CERT), part of the US Department of Homeland Security, said businesses should consider switching to an alternative browser unless they can apply "mitigation actions and workarounds" identified by Microsoft to address a vulnerability that exists in versions 6 to 11 of IE.

Microsoft warned that hackers able to exploit the vulnerability "could gain the same user rights" as existing system users, potentially "take complete control of an affected system" and "then install programs; view, change, or delete data; or create new accounts with full user rights".

"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," Microsoft said in an advisory notice. "The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability."

"In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email," it said.

Microsoft said that it was aware of "limited, targeted attacks" seeking to exploit the security flaw and said it may advise customers to install a security patch when a fix for the fault is identified. 

CERT said that IE users that also use Microsoft's Windows XP and some other operating systems are at more risk than others as a result of the flaw because those users will not be able to "follow Microsoft's recommendations". Microsoft has identified a number of measures businesses can deploy to reduce their exposure to the security risk, including altering security settings with IE and deploying more restrictive access controls for users.