A new Internet Explorer bug can take over your entire PC, so stop using it

If you haven’t moved beyond Internet Explorer, here’s another reason to do so: Google and Microsoft have discovered a new IE vulnerability that can take over your entire PC.

Microsoft published CVE-2019-1367 on Monday, a scripting engine memory corruption vulnerability that exists within basically every version of Internet Explorer for Windows 7, Windows 8.1, and Windows 10. (Discovery of the bug was credited to Clément Lecigne of Google’s Threat Analysis Group, and reported earlier by The Register.) The vulnerability “corrupt[s] memory in such a way that an attacker could execute arbitrary code in the context of the current user,” according to Microsoft.

The alert goes on explain what this means for users. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft says. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

In other words, if an attacker is able to convince you to click on an affected webpage, that attacker can do whatever they want to your PC and your stored data.

There are mitigations. If you’re running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019, IE runs in a restricted mode that can reduce the likelihood of a user downloading malware. Microsoft’s CVE Web page also includes commands that users can enter into either 32-bit or 64-bit systems to protect them, by restricting access to JavaScript. Still, these workarounds may still impact the functionality of a mitigated system, Microsoft warns.

The safest workaround? Don’t use Internet Explorer. Microsoft implemented Microsoft Edge in 2016 as a safer, more functional replacement for IE, and then said that IE could be run as an Edge tab, and then said that it would be replacing Edge with a Chromium-based version of Edge—without really saying what this means for Internet Explorer.

If you’re confused, the simplest thing is to download Chrome or Firefox or Opera or whatever modern browser you prefer. Virtually all of them can import your previous bookmarks in a heartbeat, and get you up and running in a safer browser within seconds. IE’s time is done, and this is just further proof of it.

Leave a Reply