The U.S. Department of Homeland Security on Monday warned computer users against using Microsoft's Internet Explorer browser until a fix is issued for the security vulnerability that came to light over the weekend.
"Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser", the United States Computer Emergency Readiness Team (US-CERT) said in a bulletin. The team also said that they are unaware of a practical solution to the problem.
The vulnerability could allow a remote, unauthenticated attacker to gain control of an infected computer, and do things like steal or delete personal data, install malware, track online behavior, and more.
FireEye Research Labs, an Internet security software company headquartered in Milpitas, California, first reported the bug on Saturday. According to the company, the bug affects IE6 through IE11, but IE versions 9, 10 and 11 are the only ones being actively targeted at this time.
The exploit uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections. Although FireEye says that disabling the Flash plugin within IE will prevent the exploit from functioning, US-CERT appears to think otherwise.
The warning notes that the Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of the vulnerability.
On the other hand, Microsoft, which generally releases security patches on the second Tuesday of each month, is yet to decide whether it will issue an emergency patch before the next 'Patch Tuesday' on May 13.