14 DAY TRIAL // Internet Explorer will soon become the second option in Windows 10, but Microsoft is still struggling to keep it secure and patch all found vulnerabilities as fast as possible to make sure that users are perfectly secure.
But it turns out that this time the company hasn’t moved fast enough, as HP’s Zero-Day Initiative (ZDI) has just published four critical zero-day vulnerabilities (ZDI-15-359, 360, 361 and 362) it found in Internet Explorer after the 120-day policy was reached.
HP’s ZDI has a policy that stipulates that vendors who are informed about the found vulnerabilities are given 120 days to fix the flaws. If they fail to do so, the zero-days are posted online.
According to the information ZDI provided today, all vulnerabilities allow for remote code execution and attackers could get the same privileges as the logged-in users.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities,” ZDI says in an advisory.
“Refrain from using the browser”
What’s very important to know is that attackers need to convince you to click a malicious link, so unless you do that, you are perfectly secure. In some cases, however, they could turn to scripts and other tricks to make you click the link, so that’s why some security experts recommend you to stop using Internet Explorer for a while until Microsoft fixes this.
“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities as details are sparse. There is not much you can do at the moment, except refrain from using Internet Explorer,” Wolfgang Kandek, CTO of Qualys, said in a statement.
Internet Explorer is also available in Windows 10, which launches next week, so expect another out-of-band patch released by Microsoft in the coming days.
Update, July 24, 2015: Microsoft has revealed to us that the vulnerabilities reported by ZDI have already been fixed in bulletins MS14-037 on July 8, 2015 and MS15-018 on March 10, 2015, so you can safely use Internet Explorer if your computer is fully up-to-date.