Alert! Stop using Microsoft’s Internet Explorer RIGHT NOW!

On the heels of the Heartbleed bug affecting security across the Internet, the Department of Homeland Security's U.S. Computer Emergency Readiness Team, released an advisory on April 28, 2014. It called for all users of the Internet Explorer (IE) to stop using the browser until the vulnerabilities found in versions 6 thru 11 can be fixed. The statement indicated that using IE could lead to "the complete compromise" of an affected system. Versions 6 to 11 have been distributed with Microsoft’s Windows operating system for the past several years.

At about the same time, the recently established UK National Computer Emergency Response Team issued similar advice to British computer users. The UK said in addition to considering alternative browsers, users should make sure their antivirus software is current and regularly updated. Governmental Warnings Unusual

These governmental calls for changing browsers are unusual. But it highlights the severity of the problem found in IE, one of the most popular browsers in the world. This particular problem is considered to be a “zero-day exploit”. A zero-day exploit is defined as a “previously unknown bug or vulnerability in an application which developers have not had time to address”. A zero-day vulnerability could be used by Black Hat Hackers the first day it is discovered and made public.

The Department of Homeland Security's Computer Emergency Readiness Team (CERT) has issued regular browser advisories, this is one of the few times the DHS CERT team has recommended that users avoid using a specific browser.

The Risk

This particular flaw in IE allows attackers to run malicious code remotely. The code could allow hackers to gain full control of the computer on which the browser is running. Security firm FireEye Research Labs said that the flaw has already been used to attack financial and defense organizations in the US via IE versions 9, 10, and 11. These versions of IE were designed to run on Microsoft Windows Vista, Windows XP, Windows 7, and Windows 8. The exploit has been found in versions as old as IE 6.

The Fix

Our recommendation is that you use another browser like Mozilla Firefox or Google’s Chrome. If you can’t switch from IE, then you should disable Adobe Flash in IE or use Microsoft's Enhanced Mitigation Experience Toolkit security app. However, either of these options will not secure your computer as well as switching browsers will.

Adobe, the company that wrote the Flash product, published the following steps to disable the software in IE:

1. Launch Internet Explorer.
2. If you see an animation playing, then Flash Player is enabled.
3. If you don’t see an animation playing, then Flash Player is not enabled. In that case, click on the Tools icon in the top right corner of Internet Explorer. (The icon looks like a cogwheel.)
4. In the drop-down menu which appears, click Manage Add-Ons.
5. In the dialog which appears, select Toolbars and Extensions.
6. In the list of Add-ons, look for “Shockwave Flash Object” – which is another name for FlashPlayer.
7. In the Status column, check to see whether Shockwave Flash Object is Disabled. If it is, click the row for Shockwave Flash Object to highlight it.
8. In the bottom right corner of the Manage Add-ons dialog, click the Disable button.
9. Close the Manage Add-ons dialog.
10. Go to: and navigate to: http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html and click on the Check Now button. If Flash is disabled, this page will tell you so.

Evidence Solutions, Inc. recommends that you consult with your computer support team before making any changes to your computers.