In an alarming development for both Microsoft and the millions who use its Internet Explorer browsers, hackers have found a security hole that allows them to install malicious software on Windows computers.* Specifically, security researcher Eric Romang of Zataz.com discovered on Sunday that the fresh “zero day” vulnerability allowed cybercrooks to use a form of the old Poison Ivy trojan to take control of victims’ machines. The flaw appears to affect Internet Explorer versions 6, 7, 8, and 9, though not the brand-new version 10 (which is only available on Windows 8). It seems the culprits may be related to the bunch who exploited a major flaw in Oracle’s Java browser plug-in last month.
When news of the Java vulnerability broke, security experts’ advice was clear-cut: Disable the Java browser plug-in immediately unless you absolutely need it. The fact that Java applets have grown relatively scarce on the Web, coupled with Oracle’s sluggish response to the problem, made that an easy call for most. (Java has since patched the hole, for what it’s worth.)
So if you’re a Windows user,* should you now dump Internet Explorer as well? Perhaps, experts say, though the hack shouldn’t be a cause for mass panic. For one thing, Microsoft itself has responded quickly with a security advisory that includes an extensive list of work-arounds. Its apparent sense of urgency suggests that it may offer a prompt update that patches the problem, though it hasn’t done so yet.
Unfortunately for Microsoft, the work-arounds are a bit cumbersome and could affect your browsing experience—potentially more so than just switching to another browser. And while IE loyalists could just try to avoid potentially malicious websites and hope for the best, you never know. “I would recommend not using Internet Explorer until this issue is patched,” Sophos’ Chet Wisniewksi tells me. “While the exploit is not in widespread use, it could be integrated into popular attack kits like the Blackhole Exploit Kit any time now.”
For those who were already thinking of switching to another browser, such as Google’s super-fast Chrome, Mozilla’s highly customizable Firefox, or Opera, consider this the perfect time. If you don’t like it, you can come back to IE once Microsoft fixes this flaw.
Correction: This post originally implied that only computers running Windows XP are vulnerable. While the hack was first discovered on Windows XP, Microsoft’s own security update made it clear that most Windows versions are vulnerable, including Vista, Windows 7, and Windows Server 2003 and 2008.
