Co-authored by Dr. Stephen Bryen, CTO Ziklag Systems
Microsoft has now acknowledged that its Internet Explorer Browsers are vulnerable to targeted attacks. How long Microsoft has known about the danger is not known. It was advised by a private company called FireEye. FireEye says "Threat actors are actively using this exploit in an ongoing campaign which we have named "Operation Clandestine Fox."" However, FireEye is giving no further details on what it knows, who the threat actors are, and in particular how long they have been operating and exploiting this hole in Internet Explorer.
Microsoft is not offering a solution. It is making some suggestions on how to cope with the problem, but it does not guarantee that any of them will provide complete protection. As of now, Microsoft is not offering any "patches" or repairs to the Explorer Browser.
For its part, FireEye makes two suggestions. One is to use a Microsoft product called EMET, the Enhanced Mitigation Experience Toolkit. According to both FireEye and Microsoft, the latest versions of these toolkits appear to prevent attackers from exploiting the bug in the Explorer Browser. But earlier versions of EMET don't work, and EMET is reportedly known to create other problems of its own, including crashing operating systems. Another suggestion, made by FireEye but not by Microsoft, is to disable and remove the Flash plug in. As many web sites use Flash, this may stop any exploitation, but it may also shut down many Browser capabilities such as online videos.
For the average user, and for many business organizations, there is a clear dilemma. Without any assured way to truly mitigate the risk, individuals and companies are left guessing. What should they do?
The best advice for now is to find another Browser and dump Internet Explorer. Microsoft's tepid response to the threat and the fact that Internet Explorer Browsers may have been exploited over a considerable time period suggests that the Browser cannot be trusted.
All Microsoft Explorer Browsers from version 6 up through version 11 are potentially impacted by the vulnerability. While FireEye says that the exploit was designed mostly against Explorer Versions 9 to 11, the earlier Explorer products also are vulnerable. If we just consider Versions 9 to 11 we are talking about 25% of the Browser market; if all versions are considered we are at nearly half the Browser market.
Spies, intruders and hackers usually go after low hanging fruit, and with Microsoft dominating the Browser marketplace, it is a prime target. But that is changing. Google Chrome is growing rapidly in market share, partly because it offers Gmail and functions such as Google Docs.
Right now we don't know if Google, or Firefox which makes an excellent Browser, or any other (such as Opera) are safer than Microsoft's Internet Explorer.
Businesses, small and large, and organizations face a hard problem. Virtually all of today's Browsers are focused on some form of marketing and entertainment. One of the consequences is that user privacy is seen only from the point of view of monetization, not from a security outlook. This means that organizations are truly living in a nether world, where their proprietary and sensitive information is almost always at risk. To add to the risk, we have little or no idea how all of this translates into the mobile space. Are mobile Browsers safe? Does the Microsoft Explorer bug extend to mobile platforms, e.g., Windows-based smartphones? We don't know.
So while throwing out Explorer until it is fixed might be a short term "fix," it is a very partial one to say the least. For sure, the hole in Microsoft Explorer is big, but it may also be bigger than anyone thinks. Because Internet Browsers today are not built to really be safe. None of them are.