It’s one thing when internet security firms tell people to give Internet Explorer a wide berth while a bug remains unpatched. It’s another when a national government gives the same advice.
That’s exactly what’s happened in Germany where the Federal Office for Information Services has said it “recommends all users of Internet Explorer to use an alternative browser for Internet use until the manufacturer has released a security update.”
The bug in question is a zero-day drive-by: in other words, hackers were already exploiting it before it came to Microsoft’s attention and the flaw means that simply visiting an infected website can compromise your machine even if you don’t actively download or run any software.
All currently supported versions of Internet Explorer from 6 to 9 are affected. Depending on the figures you use, that works out to somewhere between a third and half of all internet-connected machines in the world.
Microsoft is already working on a fix but hasn’t confirmed if it will be issued as soon as its is ready or saved for the next Patch Tuesday. In the meantime it’s suggesting users either set the browser’s built-in security level to High, tweak settings to block active scripting altogether, or set the browser to prompt for confirmation before using active scripting.
All these solutions could make legitimate sites less usable, so Microsoft is also suggesting users run the Enhanced Mitigation Experience Toolkit, a feature built in to Windows itself.
Metasploit, the site that first figured out how the bug could be exploited, thinks the best solution is much simpler: “Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available.”
Then again, even that statement might be overly complicated and could be simplified by removing the last six words.