14 DAY TRIAL // The Internet Explorer zero-day that Microsoft has recently acknowledged is the subject of a new security advisory published by the US Department of Homeland Security.
In an advisory published this weekend, the Cybersecurity and Infrastructure Security Agency (CISA) warns that an attacker can obtain the full control of an unpatched device using a vulnerability in the browser that the Windows operating system ships with.
Internet Explorer is no longer the default browser in Windows 10, being replaced by Microsoft Edge. It is, however, offered pre-loaded in the operating system for compatibility reasons – Microsoft recommends against using it as a daily browser, but security patches are still provided.
CISA says malicious actors can exploit this vulnerability remotely and, citing Microsoft’s own advisory, emphasizes that the flaw is already being used for attacks.
“Microsoft has released a security advisory to address a critical vulnerability in Internet Explorer. A remote attacker could exploit this vulnerability to take control of an affected system. According to the advisory, ‘Microsoft is aware of limited targeted attacks,’” the CISA warning reads.
"Use a different browser"
The security agency also recommends users to switch to a different browser, at least until a patch is released by Microsoft.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Advisory ADV20001 and CERT/CC's Vulnerability Note VU#338824 for more information, implement workarounds, and apply updates when available. Consider using Microsoft Edge or an alternate browser until patches are made available,” it says.
Worth knowing, however, is that even if you use a different browser, your device remains vulnerable due to apps based on the IE engine.
Microsoft has already acknowledged the bug and provided mitigation for it, but said a full patch is still in the works. An ETA hasn’t been provided, however it’s believed the company would wait until the next Patch Tuesday cycle to release it.
The upcoming Patch Tuesday updates will be published on February 11.