Internet Explorer Exploit Leaves XP Users High and Dry
NEWS ANALYSIS: Even when a fix is developed for the latest IE threat, Windows XP users won't get it. That's a good reason for them to upgrade their OSes.A new vulnerability reported by Microsoft that allows an attacker to install malware and then execute it while bypassing the user's security is the best reason yet to move away from Windows XP if you're still among the millions of users who haven't moved to something newer. But the remote code execution vulnerability affects every version of Windows, and every version of Internet Explorer from version 6 through version 11. This vulnerability, which can be triggered by visiting an infected Website or opening an HTML email, is so serious that the U.S. Department of Homeland Security's US-CERT (Computer Emergency Readiness Team) is recommending that you stop using IE entirely until Microsoft is able to fix the problem. This means that not only should you not browse the Internet using IE, but you should change your default settings so that clicking on a link doesn't open it and change your email settings so that HTML messages use a different browser. According to security researchers at FireEye, who found the vulnerability originally, it uses a previously known flash exploitation technique to allow code execution in portions of memory normally reserved for data. While the technique was known, the particular exploit method was not known until it was being employed to install malware. Fortunately, Microsoft has a workaround that is available for enterprise users—the Enhanced Mitigation Experience Tookkit, which is available for download. While the EMET will work with Windows XP, it does not provide a complete solution. With XP, the only real solution is to avoid running Internet Explorer. You should also set your security zone settings to "high." This will block ActiveX and Active Scripting, which in turn means that some Websites won't work properly.
There are a number of other measures to help limit damage from this vulnerability. These are listed in the Microsoft security advisory in the first link at the top of this column. What Microsoft isn't saying is that you should avoid IE until a fix is released.