Microsoft have urged Windows users to download their Enhanced Mitigation Experience Toolkit v3.0 (EMET) in order to protect themselves from a new zero day vulnerability discovered in their Internet Explorer web browser.
The vulnerability, discovered by Eric Romang, affects the three most recent versions of the popular browser – IE7, IE8 and IE9 – on Windows Xp, Vista and 7:
“I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild.”
Microsoft’s suggested EMET fix requires users to download a file, install it and then manually configure it to protect their devices from the new threat. Whilst some computer users may be perfectly ok with that, many more may be confused as to exactly what they need to do. Therefore the best option for many web users may be to switch browsers, at least temporarily, as per this advice from Rapid7 on their Metasploit blog:
“Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available.”
Microsoft’s next regular patch release – “Patch Tuesday” – is scheduled for October 9th so it will be interesting to see if they release something out of band to counter this threat.
In the meantime, will you stick or twist on Internet Explorer?