ENISA statement related to the recent Internet Explorer vulnerability
In relation to the warnings of Microsoft on Sunday, of a previously unknown vulnerability in all supported versions of Internet Explorer being exploited, affecting all supported versions of IE, and allows them to secretly hijack vulnerable computers, ENISA comments;
Published on April 28, 2014
- To clarify; ENISA is not an operational CERT, but a body of expertise, and can provide a brief situation analyses and comment nevertheless;
- This is a serious 0-day attack on society, “in-the-wild” attack, which demonstrates that there is no 100% security and how vulnerable society can be if security is not addressed from the start. Therefore, we advocate “security-by-design” from the start in the software process by industry.
- This is a significant threat for IE users as there is no quick fix to repair, and “patch” this
- Users who want to avoid the abovementioned risk should temporarily use another browser until this security gap has been fixed
- Users should keep their systems patched and up-to-date
- Many users have two different browsers installed so they should easily be able to switch. If not, this is a good reason why they should have it; when needed.
- If this is not possible, IE users should ensure that EMET 4.1 or 5.0 is installed and that all mitigations are enabled and that VML and Flash are disabled.
- Enhanced protection mode in IE should be activated. EPM was introduced in IE10
- Users should always browse the Internet from the restricted user context and never from system administrator account
- One of the biggest problems with this vulnerability is that the Windows XP users will be exposed since no patch will be released for XP (End of life)
- As this affects around 26% of the total browser market, this displays how critical cyber security is for today’s society and economy.
- According to the security company FireEye, a known group of cyber criminals have already conducted targeted attacks on individuals and organisations.
As this vulnerability becomes known, the tools and attack, may spread, in the near time.
IE’s browser market share has dropped from 40% a few years ago, to around 25% now.
- In Europe, however, Mozilla and Google Chrome are the most used browers; while yet, some pockets of higher usage of IE can be found in Denmark, Greenland, parts of Italy, Netherlands and Monaco, in particular. Still, IE has a sizeable share of the users’ preferences in the EU, so caution is needed.
- IE is mainly the top browser in e.g. China and Angola.[1]
The Executive Director of ENISA professor Udo Helmbrecht commented:
“We need to invest more in cyber security prevention and preparedness and equip EU bodies with the right resources, if we are to protect the economy and modern society of Europe.
We take cyber access for granted, but still, some 40 years since it was invented, and the 20 years we have been dependent on the Internet, we still have a lot of security homework to do if we are to be able to enjoy the benefits of Internet.”
ENISA refers to Microsoft for any further updates, but till then all end users should use caution, and take lesson; it costs more later, not to invest in cyber security now.
For interviews, please contact: Ulf Bergström, Senior Corporate Communications Officer and Spokesman, +30 6948 460 143
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!
News items:
http://www.enisa.europa.eu/media/news-items/news-wires/RSS
PRs:
http://www.enisa.europa.eu/media/press-releases/press-releases/RSS