The Internet Explorer zero-day that Microsoft has acknowledged is the subject of a new security advisory published by the US Department of Homeland Security.
In an advisory published this weekend, the Cybersecurity and Infrastructure Security Agency (CISA) warns that an attacker can acquire the entire charge of an unpatched device utilizing a vulnerability within the browser that the Windows operating system ships with.
Ie is not the default browser in Windows 10, being replaced by Microsoft Edge. It is, however, offered pre-loaded within the operating system for compatibility reasons – Microsoft recommends against utilizing it like a daily browser, but security patches continue to be provided.
CISA says malicious actors can exploit this vulnerability remotely and, citing Microsoft’s own advisory, emphasizes the flaw has already been being used for attacks.
“Microsoft has released a security advisory to address a vital vulnerability in Internet Explorer. An online attacker could exploit this vulnerability to consider charge of an affected system. Based on the advisory, ‘Microsoft understands limited targeted attacks,'” the CISA warning reads.
Use a different browser
The security agency also recommends users to switch to a different browser, a minimum of until an area is released by Microsoft.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to examine Microsoft’s Advisory ADV20001 and CERT/CC’s Vulnerability Note VU#338824 to learn more, implement workarounds, and apply updates when available. Think about using Microsoft Edge or perhaps an alternate browser until patches are made available,” it says.
Worthwhile to learn, however, is that even if you use a different browser, your device remains vulnerable because of apps in line with the IE engine.
Microsoft has already acknowledged the bug and provided mitigation for this, but said a complete patch is still within the works. An ETA hasn’t been provided, however it’s believed the company would wait until the following Patch Tuesday cycle to produce it.
The upcoming Patch Tuesday updates is going to be published last month 11.