Faced with a vulnerability that exposes Microsoft's Internet Explorer Web browser to a zero-day exploit involved in recent targeted attacks, CISOs need to take prompt action, security specialists say. That includes communicating the vulnerability to end users, using alternate Web browsers and developing an incident management strategy.

Meanwhile, organizations must be prepared to deal with other online vulnerabilities as they emerge, warns Alan Brill, senior managing director at security advisory firm Kroll Solutions. "Organizations that don't recognize that - and treat each incident as a separate crisis - are likely to expend more effort going through the incidents than those that develop an incident management strategy," he says.

On April 28, the Department of Homeland Security's U.S. Computer Emergency Response Team urged online users to avoid using Internet Explorer, versions 6 through 11 (see: DHS Says Stop Using Internet Explorer). It warned that the browser vulnerability "could lead to the complete compromise of an affected system."

The exploit of the vulnerability by hackers was first identified by security firm FireEye, which outlined the vulnerability in an April 26 blog post. The company says the exploit is significant because the vulnerable browsers "represent about a quarter of the total browser market."

Although Microsoft says it's working on a patch for the browser vulnerability, the company is no longer issuing any patches to users of its Windows XP operating system after recently dropping support for it (see: End of XP Support: Are Banks Really Ready?).

Threat Severity

Because Internet Explorer is widely used, the vulnerability "is a big deal," says Steve Durbin, global vice president at the Information Security Forum, an independent membership organization that offers information risk management research and mitigation strategies. "Internet Explorer has a significant share of the market, so that's a huge number of devices that are now at risk until Microsoft is able to issue a fix."

The vulnerability in Internet Explorer versions 6 through 11 could allow hackers to gain control of a user's computer after it's been infected with malware, Durbin explains.

"The risk is that you could become more vulnerable to a malware infection that would bypass your anti-malware defenses, allowing hackers and cybercriminals to assume control over your device and use it as if they were the owner," Durbin says. "In short, you lose control over your ability to securely operate your device in cyberspace."

Anton Chuvakin, a research vice president at the consultancy Gartner, says that the vulnerability allows for a malicious website to execute code on the user's vulnerable Web browser. "Injecting malware is one route, but they can also make system changes," he says. "If the user runs an administrative account, more effects are possible."

The vulnerability is being actively exploited, Chuvakin says. "It is not a minor worry, but it is certainly not another Heartbleed," he says. "Major Internet Explorer vulnerabilities have been common in the past, and this one does seem to make Web-borne malware injection pretty easy."

The Internet Explorer vulnerability is a "tremendous risk," says Tom Kellermann, managing director for cyberprotection at Alvarez and Marsal, a business management firm. "It is akin to leaving your keys in the ignition in a bad neighborhood. It is imperative that users move to other browsers until a patch has been released. Passwords should also be immediately changed and anti-virus programs run."

Mitigating the Risks