A vulnerability discovered in Internet Explorer over the weekend is serious—serious enough that the Department of Homeland Security is advising users to stop using it until it’s been patched.
On Monday, the United States Computer Emergency Readiness Team (US-CERT), part of the U.S. Department of Homeland Security, weighed in.
“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer,” it said in a bulletin. “This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.
“US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.” Enhanced Mitigation Experience Toolkit (EMET) is a Microsoft utility that helps prevent vulnerabilities in software from being successfully exploited, and can be downloaded here. It supports every Microsoft operating system from Windows 7 on up.
Microsoft has yet to decide whether it will issue an emergency patch in the coming days or wait for patch Tuesday on May 13 to repair supported versions of IE.
The new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user. That means a successful attacker who infects a PC running as administrator would have a wide variety of attack open to them such as installing more malware on the system, creating new user accounts, and changing or deleting data stored on the target PC.
Windows XP is especially vulnerable, given that Microsoft discontinued support for the OS earlier this month.
Additional reporting by Ian Paul.