The recently discovered security hole in Microsoft's Internet Explorer is bigger than Microsoft lets on. It is so big; in fact, that even the federal government believes users should stop using Internet Explorer right away.
The United States and the United Kingdom governments issued separate security advisories urging users of Internet Explorer to switch to another browser while Microsoft is working on a security update to its system.
The Department of Homeland Security's US Computer Emergency Readiness Team (CERT) says it is "currently unaware of a practical solution to the problem" and encourages users as well as IT administrators to deploy workarounds currently recommended by Microsoft while the company comes up with a more permanent security patch.
CERT-UK also released a similar advisory.
"Microsoft Internet Explorer contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system," said CERT in its security advisory.
FireEye Research Laboratory first discovered the vulnerability, which affects Internet Explorer versions 6 to 11 and allows hackers to gain administrative rights to a vulnerable system.
FireEye and Microsoft recommend that users employ Enhanced Mitigation Experience Toolkit (EMET) versions 4.1 and 5.0, a tool that can prevent attackers from exploiting the glitch in Internet Explorer. However, users should know that earlier versions of EMET are ineffective and the toolkit also poses a few possible problems of its own, including operating system crashes.
Disabling the Flash player plugin in Internet Explorer can help, according to FireEye, since the bug corrupts the Flash player to bypass Windows security protection features. This also comes with setbacks of its own, as disabling flash removes some browser capabilities, such as playing animated videos.
CERT also advises users to unregister vgx.dll, a "library used for handling vector markup language" that technically can still be used outside of Internet Explorer, although experts believe the chances of that are very small. The security hole is not found within the library, but it is currently being used by attackers to take advantage of the vulnerability.
Microsoft's response, however, has been lukewarm, saying that it still continues to look into the appropriate action and will issue a security update once it has found a better solution than FireEye's workarounds. As of press time, the company still has not released a solution since the bug was first discovered April 26.
Any updates released by Microsoft, however, will not benefit Windows XP users since Microsoft stopped supporting its 13-year-old operating system on April 8. Authorities believe users who are not able to deploy FireEye's recommendations should stop using Internet Explorer and find another browser. Alternate browsers include Google Chrome, Mozilla Firefox, Opera and Safari for Mac users.
"Chrome does not support one of the required formats (VML) so it should not be affected, even if the vulnerable DLL is on the machine," said Wolfgang Kandek, chief technical officer of Qualys.
CERT-UK also recommends that users ensure their antivirus applications are always up-to-date.
Siber Systems vice president of marketing Bill Carey also said that users should update their systems, a move that is not possible for Windows XP users. Having a strong email password as well as a disposable email address for avoiding spam will also help, as per Carey.