It was announced this past Sunday night that a major security flaw was found in Internet Explorer that allows the unwanted remote control of affected workstations. The following is an excerpt from the official statement from Microsoft regarding the reported issue:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
The Cause: The heart of the issue stems from an Internet Explorer security hole that is exposed by Flash based actions in Internet Explorer. This issues affects Internet Explorer versions 6-11 across all versions of Windows (with XP being the most vulnerable)
The Fix: As of today, Microsoft has yet to release a patch to rectify this issue
The Workaround: There are currently a handful of viable work arounds that can be deployed until Microsoft releases a security patch:
- Run Internet Explorer in ‘Enhanced Protection Mode’ (For Internet Explorer 10 and 11 only)
- Disable the use of Flash in Internet Explorer. Please note that doing this will cause Flash based charts or KPIs to not show properly in Maintenance Connection. The way to remedy this would be to alter said chart/KPIs to be image based.