The Department of Homeland Security (DHS) has advised Internet users to avoid using Microsoft’s Internet Explorer browser application until a security flaw has been fixed. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system, according to the release issued through DHS’s U.S. Computer Emergency Readiness Team (US-CERT) Monday morning.
Internet Explorer contains a use-after-free vulnerability, which allows attackers to execute code on a system that is vulnerable. Machines that are vulnerable include those using Internet Explorer versions 6 through 11 and the bug “could lead to the complete compromise of an affected system,” US-CERT said in a statement.
While the bug is affecting Internet Explorer, the Adobe Flash application appears to be safe from such attacks. However, US-CERT warned that it might be possible for hackers to exploit the use of Flash as Internet Explorer and Flash run within the same process space as the browser.
Microsoft has not released an official statement about the flaw and how it’s working to fix it. In the meantime, US-CERT is recommending that Internet users use an alternative Web browser, such as Google Chrome or Mozilla’s Firefox, until an official update is available from Microsoft to fix the flaw.
Additionally, US-CERT is suggesting that users use the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to help prevent exploitation of the vulnerability. However, the team warned that Windows XP and Windows Server 2003 will not receive the same level of protection that modern Windows platforms will, such as Windows 7 and 8.
The bug is the first high-profile security flaw to emerge since Microsoft stopped providing security updates for Windows XP earlier this month, Reuters reports. It was first reported publicly by FireEye, whose Mandiant division helps companies respond to cyberattacks.
FireEye is calling hackers’ exploitation of the security flaw Operation Clandestine Fox. According to its research, the campaign is a series of “targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors,” FireEye spokesman Vitor De Souza told Reuters. “It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.”