US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.The CERT is the Computer Emergency Response Team* which has been around since the late 1980s (!). Back then there were about 200 of us who cared about security. These guys have been in the business for a long, long time.
US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser.
Their point about XP users "considering" using a new browser is just politeness and professionalism. Others in the press are less restrained: US, UK advise avoiding Internet Explorer until big fixed:
The Internet Explorer bug, disclosed over the weekend, is the first high-profile computer threat to emerge since Microsoft stopped providing security updates for Windows XP earlier this month. That means PCs running the 13-year-old operating system will remain unprotected, even after Microsoft releases updates to defend against it.XP users, you've had a long, good run. It's over now.
Like the old saying from the bartender, you don't have to go to a new browser but you can't sleep on this one anymore. The bad guys have been waiting for the last XP security update. It's like the U-Boats waiting for the escorting destroyers to sail over the horizon, leaving the convoy behind. Now it's open season. On you.
"Everybody should be moving off of it now. They should have done it months ago," said Jeff Williams, director of security strategy with Dell SecureWorks.
Roger Kay, president of Endpoint Technologies, expects several hundred million people running Windows XP to dump those machines for other devices by the end of the year.
XP users, stop using Internet Explorer, effective immediately. Do not pass Go, do not collect $200. If you're reading this in IE, close the window right now.
I can't recommend Firefox, which is coded by fascists or their running dog dupes. I can't recommend Chrome because it's from Google, and they're evil. Opera is OK for now, but quite frankly your options are limited and will be worse each month from now on. As I said, the U-boats are gathering, and it will be the "Happy Time" for them against all the XP users.
You've come to the end. Now it's time to come to a decision on what to do next. That will be the next post.
* They call the "R" "readiness", but they've been around so very long that old security hands like me go by their old (and quite frankly, better) name.