It may be long past expiration but Internet Explorer is still being used on some computers and in cases where companies or organizations have locked themselves into technologies that depend on good ol’ IE. In fact, Microsoft’s browser is still installed by default on almost all Windows computers, which means it can still become a security liability, like in this new flaw that’s reportedly being exploited in the wild. Microsoft’s response? Wait next month for the fix.
It was one of the great enablers at the dawn of the Internet Age but Internet Explorer has also long become an embarrassment to both the Web and Microsoft. But just because there’s a new browser in town doesn’t automatically make it more secure. Especially when it’s just sitting around unused, waiting to be misused for a security exploit.
The US-CERT is reporting exactly that scenario regarding a critical vulnerability in the venerable web browser. Similar to an exploit reported by Mozilla last week, this bug takes advantage of IE’s memory handling to give attackers the ability to run malicious code on a computer remotely. It doesn’t just happen though and requires that users click links that open in Internet Explorer.
It’s not just potential though as US-CERT also mentions that Microsoft is aware of “limited targeted attacks”, which is technical shorthand for “it’s being used in the wild right now”. Despite all these factors, Microsoft doesn’t seem to be in a hurry to push out a fix and will do so during its regular monthly security cycle.
That means users will have to be on guard until February 11 when that fix finally rolls out. Actually, they should be on guard all the time. The one good news is that the update will reportedly be available even for Windows 7, which has already reached its end of life last week.