Channel NewsAsia

Windows IE security flaws get patches, but users need to make long-term fix

Patches have rolled out for Windows users who were recently warned of a security risk when using IE browsers. But like a plaster, a patch can do the job of fixing up an exposed area only until the person adopts a long term remedy. 

The heart attack after HeartBleed is that Windows users, which includes a sizeable business audience, are open to having their accounts taken over by another user to unleash malware after using the commonly-used IE (Internet Explorer) web browser.

The simple solution is to switch browsers, most say.

Or maybe, the solution isn't that simple.

Since it is the bread and butter of security firms to get friendly with online rogues, Symantec exposed itself and found that on an infected machine, the malware causes the IE browser on Windows XP to crash.

Although it may not have happened to you, it doesn't mean that someone else you know could have been a victim, which means the malicious code could be on its way to you, because that is how online bugs work.

But worrying won't help.

For those concerned at being exposed, or think they may have been exposed the last time they were online, the security experts at Trend Micro point out that the flaw that allows the malicious code to run with the same privileges as the logged-in user, will most likely happen with the accounts of those who have administrator rights.

"This means that if the user’s account does not have administrator rights and is not set up as an administrator, the malicious code will not run with them either, which partially reduces the risk."

The attacks are only known against IE versions 9 to 11, but the security experts also warn that the underlying flaws exist in all versions of IE in use today, from IE 6 through to IE 11.

The solution for those who are using the more recent versions of Microsoft browsers IE 10 and 11, is to enable the Enhanced Protected Mode (under the Tools menu, look up Internet options and in it, the Advanced tab and Security options).

Another good move suggests Trend Micro, is to disable or remove the Flash Player from IE until a fix is installed, as the exploit code requires Adobe Flash to work.

The risk lies in a code to bypass protection, that's hidden in an Adobe Flash file which resides on malicious sites that victims are lured to visit after receiving clickable links in emails or instant messages. 

So it goes back to the security 101, if it seems fishy to you, it most likely is.

The risk goes up for those who cannot, or will not, give up on Windows XP.

As it is not easy to simply ditch an operating system (OS), the short-term solution say the security experts is to apply a patch, including a virtual patch and other fixes such as the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft, to mitigate attacks.

Trend Micro which earlier warned of security threats with the end of support for the Microsoft platform, said in its intelligence blog that this is the first vulnerability affecting Windows XP that will not be patched.

"End of support for any software, OS or not, leaves users and organizations more vulnerable to threats" it added.

In short, the old favourite platform among Microsoft users that was released in 2001, is now really Windows eXPired, and should be handled the same way as all other items that have gone past the use-by date.

Tweet Photos, Videos and Update on this Story to  #cna