Homeland Security Now Warning Against Using Internet Explorer Until Vulnerability is Resolved

You know the stuff is getting serious when Homeland Security steps in and starts warning the public about using a specific piece of software. The last time they stepped in was during a server Java breach in 2013. Java security hasn't gotten much better, by the way, but this time the US Computer Emergency Readiness Team (CERT) is telling the public to stop using Internet Explorer until a patch is provided.

We broke news of the severe vulnerability over the weekend when it was first announced by Microsoft. You can read all about that in All Hands On Deck: Zero-Day Reported in the Wild, Affects IE6-11, which also outlines mitigation techniques and workarounds.

The full Homeland Security statement is here: Vulnerability Note VU#222929

The government agency goes into a bit more depth, stating that the Internet Explorer vulnerability causes Adobe Flash to become corrupted so that the attack can piggyback on a memory address leak. They also state that it's possible the vulnerability could be exploited even without the use of Flash. CERT also suggests that EMET might be the best possible mitigation right now, although platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Many have noted that a new Adobe Flash security update has been released today, but some have mistakenly assumed Adobe's release is in response this newly reported Internet Explorer exploit. That is not the case. Adobe's Flash security release today closes a hole the company has been working on with Kaspersky Labs for a couple weeks.