Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

Summary: A big security flaw in Microsoft's IE browser has left 900 million users vulnerable and, in response, Microsoft issued a geek-speak advisory and a workaround that will leave non-techies scratching their heads.

SHARE:
15

Whenever I hear about vulnerabilities in Microsoft's Internet Explorer, I can't help but think of the people I know who still use Internet Explorer. By far, those who are still using the browser "that came with the computer" usually have no clue that IE is the biggest target of malicious hackers out there.

Now comes word that there's a new vulnerability in IE on all versions of Windows, one that allows bad guys to run code behind certain sites and see information that you probably don't want anyone to see.

Now, in fairness to Microsoft, the company has issued a security advisory to say that 1) it's investigating reports of the vulnerability, 2) it is aware of a proof-of-concept code that attempts to exploit this vulnerability and 3) it will take appropriate action - maybe in a security update (or maybe not) - once its investigation is done.

Also see: Adrian Kingsley-Hughes: 900 million Internet Explorer users hit by bug - You're probably one of them!

So where does that leave my not-so-tech-savvy friends and family members in the meantime? Well, frankly, it leaves them vulnerable. And there's nothing that Microsoft has really done to help them.

Again, in fairness, Microsoft is working to "provide information" to its partners so that they can help their customers. And, in the meantime, there's a client-side workaround that customers are being encouraged to install. Here are the three things that Microsoft is suggesting on that advisory:

  • "Enable the MHTML protocol lockdown"
  • "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones"
  • "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone."

Granted, Microsoft has also launched a one-click Fix it solution as a workaround option "for some scenarios." Not sure which scenarios? Then read more about it - back at that advisory written in Geek Speak.

Seriously? This is a vicious circle that would leaves people like my cousin Grace or my buddy Ernie completely lost. Microsoft might as well have spoken to them in a foreign language. I barely understand what any of that IT jargon means - and I'm the one that they call when they have computer issues.

I want to give Microsoft some credit for offering workarounds to this vulnerability - but I just can't. When there's a vulnerability that potentially affects 900 million users - again, that's Nine Hundred Million users - let's just assume that 800 million of them have no idea how to even get past the first suggestions.

With that said, what good has come from that advisory or that workaround? There are still potentially 800 million users who remain vulnerable - all because Microsoft doesn't know how to talk to or interact with real users, the people who walk into Wal-Mart and drop $500 on a computer so their teenager won't be at a disadvantage in school.

Here's an idea: Fix the problem already and then put it out there in the form of a security update - with simple, easy-to-understand instructions that any old Joe would understand. (Hint: Screenshots can be pretty effective at this point.)

In the meantime, I'll place some calls to those friends and family members who don't know any better and walk them through the process of downloading and installing the Firefox or Chrome browsers - and getting rid of that IE shortcut icon on their desktops once and for all.

Related: Recent IE security flaw is one flaw too many: Time to jump ship?

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • You gave the wrong image

    Should be "To lock down MHTML" (50602), not the undo one (50603).

    I guess it is hard to read the text, especially for non-tech bloggers.
    FADS_z
  • RE: Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

    Wouldn't we all just want to see an optional, but highly recommended, security update from Microsoft that removes IE and offers a choice of installing Firefox or Chrome. :)
    sys_engineer
    • that's known as a DOWNGRADE!

      @sys_engineer because your trading a browser that MIGHT get hacked with a browser that is built to steal data and send it to google by design.<br><br>only a fool users chrome!!
      Ron Bergundy
      • Did you understand the article?

        Is this the best defence the MS fanbois have?

        Great time to be a ABMer:-)
        Richard Flude
    • RE: Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

      @sys_engineer

      Buy a Mac, they don't have IE.
      alsobannedfromzdnet
      • RE: Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

        @alsobannedfromzdnet

        Oh yes, it's very clever to switch to a Mac, where the default browser is Safari. Safari has the dubious distinction of being the first browser to be hacked in every single Pwn2Own competition so far.
        WilErz
  • Best work-around

    Sam, you gave them the best work-around. Stop using IE and install Firefox or Chrome or Safari or Opera any of which are going to be more secure than IE. And in so doing, you'll help chip away at my Internaut IQ index in a favorable manner.
    http://www.pmaco.net/~smiley/Internaut_IQ_Index_.html

    Thank you, Smiley
    smiley97111
  • Sam Diaz is joke

    which is why he was made senior editor - the smart people passed it up and walked away as they didnt feel throwing away their integrity writing click bait storys was the right direction for their careers. but at least SD showd us its all about the page hits!!!
    Ron Bergundy
  • Didn't I recently read on ZDNet that Adobe Reader was the most popular

    attack target, not IE? I tried finding the article but couldn't, but I swear I saw this headline...
    PB_z
  • RE: Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

    Or you could calm down, stop reading Adrian's FUD and accept that all code will have errors or exploits. Moving to less secure browsers developed in a garage or by an advertising company will just increase your risk.

    Perhaps after the next long list of bugs in FF and Chrome you can suggest people turn to IE.

    Slow news day huh?
    tonymcs1
  • RE: Latest IE vulnerability: Microsoft's workaround doesn't help those most in need

    Great, more Microsoft bashing where it is not justified. Just more ZDNet fear mongering.

    [i]So where does that leave my not-so-tech-savvy friends and family members in the meantime? Well, frankly, it leaves them vulnerable. And there?s nothing that Microsoft has really done to help them.[/i]

    This is proof of concept as you said, there is no active exploits! Therefore those 800milllion people including Grace and Ernie are not vulnerable. Microsoft provided a one click fixit, so Microsoft has done something to help them. Not only that but your friends as well as the 800 million others will also need to go to a malicious site for this to become active.

    Instead of going through the complicated task of having them search, download, and install new applications you could just set up the built-in security in IE. Here's a tip for you, Zones can be your friend.
    Loverock Davidson
  • How has Apple communicated a work around for their vulnerabilities?

    You know, the one's that we don't know about yet? Oh right...they don't. They just release a patch. No warning, no work arounds, nothing. Just a patch that will show up at some random time. In the meantime their systems are vulnerable.

    So my recommendation: Do nothing and wait for the patch...just like you do with Apple. You're welcome.
    ye
    • Well, actually, you can quote all of the apple fanbois on this one...

      @ye <br><br>"there is no exploit in the wild, and no computer has been hacked with this...so it doesn't really exist"<br><br>and, really, Diaz...really???<br><br><i> There are still potentially 800 million users who remain vulnerable - all because Microsoft doesnt know how to talk to or interact with real users, the people who walk into Wal-Mart and drop $500 on a computer so their teenager wont be at a disadvantage in school.</i><br><br>First, the "teenager" that the computer was bought for either: a) knows enough to mitigate this vulnerability, or b) is doing way more risky activity with the computer that this vulnerability <b>that has yet to be exploited</b> pales in comparison.<br><br>Second, what? should they take a page from Apple's book? "avoid browsing the internet that way"? or "other o/s's have vulnerabilities too, we're not the only ones"???<br><br><i>I want to give Microsoft some credit for offering workarounds to this vulnerability - but I just cant.</i>...yeah, Diaz, you should have just stopped with your post at that point. Obviously you don't want to give MS some credit, so don't even go there.
      SonofaSailor
  • Browser &quot;wars&quot;

    Everybody b?tches that one is better than the other. They all have their faults. Each claim they offer better compatibility but in whose eyes? Theirs? They all play their games. They claim to ber more secure than the others. Uh huh.

    Some say to switch away from IE to another browser, but if you look at the alternatives, they all had plenty of bugs.

    Opera released 11.01 to fix a remote code injection vulnerability. Safari, Firefox and Chrome are no better. How many updates to Firefox 3.5 since it was released a couple of years back [give or take]. 20 or so? Safari is perrenial buggy. Chrome ain't far behind.
    Gis Bun
  • Vulnerabilities and Exploits

    It is one thing for a piece of software to be vulnerable. It is another thing for that vulnerability to be exploitable. One does not equal the other. Exploits are the dangerous one.

    You could argue that Microsoft did the right thing in informing its users about a very young vulnerability with no known exploits. Or you could just FUD this all the way to the bank.
    surfasb