cbc.ca (© Copyright: (C) Canadian Broadcasting Corporation, http://www.cbc.ca/aboutcbc/discover/termsofuse.html#Rss)
Updated: Tue, 29 Apr 2014 16:17:30 GMT | By CBC News, cbc.ca

Internet Explorer security bug: How to stay safe



A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. About two thirds of all websites use code known as OpenSSL to help secure those encrypted sessions. Researchers last week warned they have uncovered a security bug in OpenSLL dubbed Heartbleed, which could allow hackers to steal massive troves of information without leaving a trace. REUTERS/Mal Langsdon (© FRANCE - Tags: SCIENCE TECHNOLOGY CRIME LAW)

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. About two thirds of all websites use code known as OpenSSL to help secure those encrypted sessions. Researchers last week warned they have uncovered a security bug in OpenSLL dubbed Heartbleed, which could allow hackers to steal massive troves of information without leaving a trace. REUTERS/Mal Langsdon (FRANCE - Tags: SCIENCE TECHNOLOGY CRIME LAW) - RTR3LDWQ Reuters

A vulnerability in Internet Explorer could let hackers take over your computer.

The bug has already been used by hackers to attack some U.S. financial firms, cyber-security software maker FireEye said over the weekend.

Here's what you need to know to protect yourself:

What versions of Internet Explorer are affected?

Internet Explorer 6 to 11 – that is, all of them. However, according to FireEye, cyberattacks have been targeting Internet Explorer 9 and higher.

How does this bug allow my computer to be attacked?

If you have an affected browser and visit a booby-trapped website, the bug leaves you vulnerable to a "drive-by install." That means malicious software (malware) can be installed without your knowledge – you don’t have to click on anything.

Once the software is installed, others can take control of your computer.  

Typically, Microsoft says, you'd be directed to the website by a link in an email or instant message. The email may appear to come from someone you know and the website may look like a website you normally visit.

Is there a fix?

As of Tuesday, there wasn't. Microsoft said it is investigating, and will "take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle-security update, depending on customer needs."

What can I do to protect myself?

- Switch to another web browser, such as Mozilla Firefox or Google Chrome. This is one of the recommendations from U.S. and U.K. Computer Emergency Readiness Teams from their national security agencies.

- Upgrade from Windows XP to a newer version of Windows. Microsoft ended support for XP earlier this month and will no longer be releasing security patches for it.

- Download and install Microsoft's Enhanced Mitigation Experience Toolkit. This is recommended by Microsoft. The toolkit adds extra obstacles to make it more difficult for cyberattacks to make use of software vulnerabilities.

- Follow other security best-practices. Microsoft recommends that you:

- Enable a firewall.

- Apply all software updates.

- Install anti-virus and anti-spyware software.

- Exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders.

- More tips are available here.

What if a new browser and operating system upgrade aren't an option for me?

There are some technical settings you can change to prevent attacks, says internet security company Sophos on its Naked Security blog.

You can turn off Active Scripting in your browser. You can also turn off an Internet Explorer extension called VGX.DLL. If you have XP, Sophos recommends that you unregister VGX.DLL and "never re-register it."

more video