Don’t Read This Post in Internet Explorer

IE-logo-300x293In fact, don’t do anything in Internet Explorer. At least that’s the advice of both the US and UK governments, along with nearly every major tech publication. Why? Because a recently discovered exploit in the popular web browser could – maybe, possibly – be used to highjack your computer.

Here are the details of this new bug, courtesy of CNN:

If you’re using Internet Explorer and click on the wrong link, a hacker could hijack your computer. Microsoft is racing to address a weakness in its popular Web browser that security experts at FireEye revealed over the weekend. The researchers discovered that hackers have exploited the bug and created a new type of attack.

This is how it works: Hackers set up a website that installs malware when you visit it. If you’re duped into visiting the website while using the Internet Explorer program, malware seeps into your computer and gives a stranger total control. You might not even notice.

Not to downplay the issue – as Microsoft has admitted the existence of the flaw, and is working around the clock on a fix – but one has to wonder whether this exploit would have been as sensationalized if it had not been for the Heartbleed bug from a weeks back. I supposed we can only speculate.

In any event, what we know for certain is that this exploit is fundamentally similar to almost every other serious exploit, in that it could lead to compromised personal data. Once said hacker has control of your PC, he or she would also have access to your email, your passwords – basically, everything you wouldn’t want them to have. But as CNN notes, because this is a Windows-specific bug, it comes with a few caveats and complications. First and foremost, the coming security patch will not be applied to anything older than Windows 7:

It’s worse for those using Windows XP, because Microsoft no longer supports that operating system with security patches. To them, Microsoft says: Go upgrade to Windows 7 or 8.1.

And then, of course, is the fact that the world essentially runs on Windows:

But this bug is more omnipresent than it seems. Lots of machines use Windows — bank ATMs, point of sale systems, restaurant seating tools — and Internet Explorer is their default browser. If hackers manage to send them to a bad website, that machine is now under their control. It won’t be easy, but it’s possible.

“You don’t think of them as Windows PCs running software,” said Paco Hope, a consultant with software security firm Cigital. He advises that businesses talk to equipment vendors to determine how vulnerable they are.

Microsoft has historically been superb in fixing all issues (not just those related to security) so we take them at their word when they say it will be resolved soon. In the meantime, if you simply refuse to use another browser, it’s been reported that disabling Flash neutralizes the bug. Apparently, enabling “Enhanced Protect Mode” also does the trick.

As testers, what are your thoughts on the IE bug? Be sure to share in the comments section below.

Comments

  1. Milos Dedijer says

    The “New Internet Explorer Bug” sentence stopped drawing anyone’s attention some years ago as it is as common as sunrise. I’m always amazed when I see the charts showing browser market share pies and the slice IE still manages to take. Only the last two major releases were decent but they were a couple of years late to preserve a good name with us techies.

    But all of us, testers, need to thank Microsoft for developing it in such a way, as many of us wouldn’t have a job if it wasn’t for IE. Without auto update the four different active versions made it almost impossible to optimize for and brought testers worldwide glory and riches during their cross-browser bug hunts. I still have machines with all versions of the browser in a dusty corner of my home in case I ever find myself in need of a bug. And I still have a tingling feeling in my stomach when I see IE 7 inside a test cycle scope overview.

    So I would like to use this occasion to thank Internet Explorer for helping me in my career, thank you IE.

Leave a Reply