Feds warn against using Microsoft’s Internet Explorer until security hole is fixed

internetexplorerThe U.S. Computer Emergency Readiness Team has issued an advisory today suggesting that people consider avoiding Internet Explorer until Microsoft patches a flaw that could allow attackers to execute code on a computer as the current user.

For people who still need to use Microsoft’s browser, US-CERT suggests deploying version 4.1 or 5.0 of Microsoft’s Enhanced Mitigation Experience Toolkit, which should (as the name implies) mitigate the attack.

The flaw was first spotted by security research firm FireEye, which claims that it is being actively exploited in “targeted attacks.” According to Microsoft’s security advisory, the flaw affects everything from Internet Explorer 6 up to the most recent version of Internet Explorer 11, though FireEye says the attack is targeting IE 9 through 11.

This vulnerability is of particular concern to Windows XP users, since Microsoft won’t be providing an update to the decade-old operating system after ending support for it three weeks ago. That means anyone using Internet Explorer on XP will be vulnerable to attack from this point onward. While security researchers and Microsoft have warned users about the consequences of sticking with XP and offered discounts on new hardware to people who want to switch, not everyone has changed over to a newer operating system.

There’s still a chance that Microsoft could choose to issue a patch for the flaw to XP users, though it’s unclear if the company would do so.

Microsoft did not immediately respond to a request for comment on the U.S.-CERT advisory, but the company’s security advisory said, “On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

Update: A Microsoft spokesperson provided GeekWire with the following statement via email: “Extended Support for Windows XP ended on April 8, 2014. Microsoft no longer provides security updates for this operating system. Our advice to customers is to migrate to a modern OS, like Windows 7 or Windows 8.1.”