Microsoft over the weekend admitted to a huge vulnerability in Internet Explorer that allow hackers to set up malicious websites in order to gain complete access to visitors’ PC, provided they visited the page with a IE (version 6 and up). From there, hackers could install apps, break into other accounts and generally use the computer as their own.
In order to protect yourself from the flaw — dubbed “Operation Clandestine Fox” by security firm FireEye — the best thing you can do is stop using Internet Explorer until Microsoft patches it. Other browsers, such as Google Chrome and Mozilla Firefox, don’t have the problem, and you can export your bookmarks and other settings to those browsers very easily.
If you don’t want to stop using IE, there are ways to ensure you’re not
exposed while browsing the web. Ever since IE10, the browser has offered
an Enhanced Protected Mode (EPM). You won’t be vulnerable to the bug
with EPM enabled, according to FireEye, and it’s listed as one of the workarounds Microsoft recommends on its explainer page. The following video explains how to do it:
You can also disable Adobe Flash. Disabling IE’s Flash plug-in will stop the bug cold, FireEye says — although that will also render your browser powerless to play Flash videos and games.
There are other, more technical ways around the exploit as well. You can install a piece of software called the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer, Microsoft recommends. That will let you browse without altering your web experience much. Be sure to use EMET 4.1 since it’s automatically configured to protect IE.
Separate from Protected Mode, IE has other layers of security, including sliding settings for security zones, which will block malicious software from hijacking your PC if they’re set to high. It will, however, make using some websites (such as order forms) more difficult.
Microsoft is expected to release a patch for the flaw soon — either in the company’s next “Patch Tuesday” update, due May 13, or in an off-schedule patch specifically for this issue. It’s unclear if Windows XP will get the patch; support for the OS officially ended in April, but some large enterprise customers are continuing to get software updates.