Comments on Internet Explorer Flash Vulnerability 2963983
There has been a lot of hype in the media about the Internet Explorer security vulnerability that affects the Flash Player add on used in all versions of IE from version 6 (which came with Windows XP) to the current Version 11. Although this is a serious threat, the chances of being exploited by this vulnerability are quite low if you are vigilant and careful to not visit unfamiliar web sites and do not click on unsolicited links in SPAM messages that will take you to unsafe websites.
Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability. Due to the limited scope of this vulnerability, they plan to addressed this issue through the normal update process. On completion of their investigation, Microsoft will take the appropriate action to protect their customers, which may include providing a solution through the monthly windows update security update release process. Since IE versions 10 and 11 are believed to be safer than older versions, and they recommend that everyone should upgrade to at least 10 as soon as possible. Note that version 8 is the last release available for Windows XP.
- This vulnerability has been around for over a decade and was only just discovered.
- This vulnerability affects the interface that launches the Adobe Flash Player in IE.
- You can disable the Flash Player in Internet Explorer to reduce chance of this threat.
- The latest versions of Internet Explorer 10 or 11 are safer, upgrade now from 9.
- It is OK to continue to use IE for safe, trusted websites like your Internet Banking.
- You may wish to use an alternate browser (Mozilla Firefox or Google Chrome, etc.).
- Before you click - always preview URL of a link (see lower left corner of browser page).
- IE with Enhanced Security on Servers are not vulnerable to this threat.
How to Disable Flash in IE
Open IE and then click Tools, then Manage Addons. Next, click on Shockwave Flash Player to select the flash addon. Now, look down towards the bottom of the window for Enable and Disable. Unless it is already disabled, just click on disable and then click on OK to finish. Later, when you wish Flash items in IE, just follow these same steps and click enable to turn it back on.
How to Preview URL Links
Always read the details of all Internet web link URLs (Universal Resource Locator) before you click on one of those blue highlighted or underlined links in a web page or email. When you point to a link on a web page or email, (hover the mouse pointer over the link) before you click, you should see the full text of the link in the bottom left corner of your browser or email page. If you email does not show the (http://www.somewebsite.com) link when you point to it or hover over it, then try to right click on the page and say view in browser before you try to go to the link.
DO NOT CLICK if the URL in does not refer to a known or trusted website address (especially if it ends in .cn, .ru. .br – country codes for China, Russia, Brazil). In older versions of Internet Explorer you may need to turn on the status bar (Right Click on the Title Bar and make sure that Status Bar is checked) Current versions of most browsers, including Firefox and Chrome will show this by default.
Refer to Microsoft Security Advisory 2963983 for more information.
More Technical Details
In order to exploit this security vulnerability, an attacker would have to host a specially crafted website that is designed to exploit the IE bug, and then invite the user to visit the website. You would have to first be lured to the malicious website designed to take advantage of this bug by causing IE to corrupt its data in memory, and execute a malicious program designed to infect your computer with a virus, or provide remote access to your files.
This type of software flaw or vulnerability is nothing new. Flaws are being identified and repaired by windows updates in all parts of windows on a weekly basis. Microsoft is required to publish know security flaws once they are found, which makes it imperative to keep your software up to date. Once know vulnerabilities are published, you can be sure that there are bad people out there writing software to take advantage of it.
There is no cause for alarm or panic. If you maintain a vigilant eye, and cautiously practice safe computing, you won’t be fooled into clicking on web links in phishing attack email messages that don’t look quite right. Remember, Social Network sites, asking you to click on a link to go and confirm your login credentials or your login will be disabled.
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.