Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

Summary:A big security flaw in Microsoft's IE browser has left 900 million users vulnerable and, in response, Microsoft issued a geek-speak advisory and a workaround that will leave non-techies scratching their heads.

Whenever I hear about vulnerabilities in Microsoft's Internet Explorer, I can't help but think of the people I know who still use Internet Explorer. By far, those who are still using the browser "that came with the computer" usually have no clue that IE is the biggest target of malicious hackers out there.

Now comes word that there's a new vulnerability in IE on all versions of Windows, one that allows bad guys to run code behind certain sites and see information that you probably don't want anyone to see.

Now, in fairness to Microsoft, the company has issued a security advisory to say that 1) it's investigating reports of the vulnerability, 2) it is aware of a proof-of-concept code that attempts to exploit this vulnerability and 3) it will take appropriate action - maybe in a security update (or maybe not) - once its investigation is done.

Also see: Adrian Kingsley-Hughes: 900 million Internet Explorer users hit by bug - You're probably one of them!

So where does that leave my not-so-tech-savvy friends and family members in the meantime? Well, frankly, it leaves them vulnerable. And there's nothing that Microsoft has really done to help them.

Again, in fairness, Microsoft is working to "provide information" to its partners so that they can help their customers. And, in the meantime, there's a client-side workaround that customers are being encouraged to install. Here are the three things that Microsoft is suggesting on that advisory:

  • "Enable the MHTML protocol lockdown"
  • "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones"
  • "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone."

Granted, Microsoft has also launched a one-click Fix it solution as a workaround option "for some scenarios." Not sure which scenarios? Then read more about it - back at that advisory written in Geek Speak.

Seriously? This is a vicious circle that would leaves people like my cousin Grace or my buddy Ernie completely lost. Microsoft might as well have spoken to them in a foreign language. I barely understand what any of that IT jargon means - and I'm the one that they call when they have computer issues.

I want to give Microsoft some credit for offering workarounds to this vulnerability - but I just can't. When there's a vulnerability that potentially affects 900 million users - again, that's Nine Hundred Million users - let's just assume that 800 million of them have no idea how to even get past the first suggestions.

With that said, what good has come from that advisory or that workaround? There are still potentially 800 million users who remain vulnerable - all because Microsoft doesn't know how to talk to or interact with real users, the people who walk into Wal-Mart and drop $500 on a computer so their teenager won't be at a disadvantage in school.

Here's an idea: Fix the problem already and then put it out there in the form of a security update - with simple, easy-to-understand instructions that any old Joe would understand. (Hint: Screenshots can be pretty effective at this point.)

In the meantime, I'll place some calls to those friends and family members who don't know any better and walk them through the process of downloading and installing the Firefox or Chrome browsers - and getting rid of that IE shortcut icon on their desktops once and for all.

Related: Recent IE security flaw is one flaw too many: Time to jump ship?

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.