Germany's Federal Office for Information Security (BSI), the agency that looks after IT security for the country's federal government, is urging individuals and companies to stop using Internet Explorer.
The warning comes after the news that zero-day exploits are already in the wild for a security hole that affects Internet Explorer, versions 6 to 9. According to the BSI, it is more than likely that criminals will use these vulnerabilities to target users.
As there is no fix for the flaw currently available, the BSI is recommending users ditch IE until Microsoft releases a patch.
"The BSI recommends all users of Internet Explorer to use an alternative internet browser until the manufacturer has released a security update," it said in an advisory on the BSI site.
The BSI routinely issues warnings for currently active exploits. In the past, warnings have been issued against zero-day flaws in Java and several other issues in Internet Explorer.
The agency is already in contact with Microsoft and is pushing for a fix for the vulnerability, according to the advisory.
That update might not be too far away. In a blog published on Tuesday, Yunsun Wee, director of Microsoft's Trustworthy Computing Group, announced a one-click 'fix it' for the flaw will be released in the "next few days". Microsoft has also pointed users towards a free tool, the Enhanced Mitigation Experience Toolkit (EMET), which should prevent users falling victim to any exploits.
Microsoft has also set out a manual solution to the problem: the company recommends setting internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones. The workaround is detailed in Microsoft's corresponding Security Advisory for the flaw.
The vulnerability was found by security researcher Eric Romang last week while looking into recently discovered Java vulnerabilities. While analysing an earlier zero day, he found some interesting HTML code that led him to the discovery of the new vulnerability. Using the flaw in IE6 to 9, an attacker can remotely execute code with the same privileges as the current user. If this user has administrative rights, the attacker might be able to get complete control over the system.