A new vulnerability reported by Microsoft that allows an attacker to install malware and then execute it while bypassing the user’s security is the best reason yet to move away from Windows XP if you’re still among the millions of users who haven’t moved to something newer. But the remote code execution vulnerability affects every version of Windows, and every version of Internet Explorer from version 6 through version 11.
This vulnerability, which can be triggered by visiting an infected Website or opening an HTML email, is so serious that the U.S. Department of Homeland Security’s US-CERT (Computer Emergency Readiness Team) is recommending that you stop using IE entirely until Microsoft is able to fix the problem. This means that not only should you not browse the Internet using IE, but you should change your default settings so that clicking on a link doesn’t open it and change your email settings so that HTML messages use a different browser.
According to security researchers at FireEye, who found the vulnerability originally, it uses a previously known flash exploitation technique to allow code execution in portions of memory normally reserved for data. While the technique was known, the particular exploit method was not known until it was being employed to install malware.
Fortunately, Microsoft has a workaround that is available for enterprise users—the Enhanced Mitigation Experience Tookkit, which is available for download. While the EMET will work with Windows XP, it does not provide a complete solution. With XP, the only real solution is to avoid running Internet Explorer. You should also set your security zone settings to “high.” This will block ActiveX and Active Scripting, which in turn means that some Websites won’t work properly.
There are a number of other measures to help limit damage from this vulnerability. These are listed in the Microsoft security advisory in the first link at the top of this column. What Microsoft isn’t saying is that you should avoid IE until a fix is released.
For XP users, that fix will never come. While most of Microsoft’s recommendations for workarounds will work, the fact is that they work at the price of reduced functionality. Some of the things you like to do on the Web won’t work if you follow Microsoft’s instructions, and you won’t be able to get those things back. As support for XP erodes, so are the things you can use it for.
Fortunately, you can do without IE. Other browsers still work with XP, and they’re still being supported. That means that you should try Firefox or Chrome as alternatives when you need access to Web pages, especially if you’re an XP user. For everyone else, you should still stop using IE for now.
Fortunately, there is help. Symantec has released a batch file that unregisters a DLL file named VGX.DLL, which is needed to take advantage of the vulnerability. The batch file works on all modern versions of Windows and it will also help prevent other programs from reregistering VGX. The downside to using this fix from Symantec is that the programs that need it won’t be able to use it and, as a result, also won’t work.
Internet Explorer Exploit Leaves XP Users High and Dry
For users of Windows 7, Windows 8 and Windows Server 2012, the best answer is to take steps to mitigate the threat by this latest vulnerability. Microsoft is already working on an update that will fix the problem. Meanwhile, Microsoft and everyone else from Symantec to DHS are recommending that you update your copy of Windows and Internet Explorer. For users of Windows XP, the only hope is that the mitigation steps work.
Of course, there is one other way to make sure that the remote execution vulnerability becomes a short-term problem rather than a permanent handicap, and that’s to dump XP and go to a newer version of Windows, such as Windows 7. Unfortunately, not every XP solution can be updated, and according to The Washington Post, that includes about 10 percent of computers being used by the U.S. government.
Some of those old XP machines are on networks that don’t have any access to the outside world. Unfortunately, many of those old government computers do have outside access, and while they’re generally on secure networks, the information they contain is highly sensitive, adding to the risk if the vulnerability remains unpatched.
The government has its own set of unique problems when it comes to spending money on updates to hardware and software, including being starved for funds by Congress. Your business, however, does not suffer from those problems, and that means there’s really no good reason not to get your computers updated. Now that you know that the bad guys can hack into your computers quickly and easily using just a Website, you have even less of a reason.