Workarounds for Internet Explorer Vulnerability

Updated 12/18: Microsoft released MS08-078 on 12/17/08, their second out-of-band patch in as many months. This patch should be applied immediately on clients and ASAP on server platforms. The normal game credential stealing aspect of the associated malcode has expanded to include theft of financial account information. The number of reported attacks continues to rise, so don't dally - patch. No reports of the patch breaking anything yet, either.

Microsoft has updated their Security Advisory 961051 to include all versions of Internet Explorer, not just IE7 as originally released. If you're running Internet Explorer at all, you're at risk, so stop already.

Microsoft has suggested at least 9 workarounds to employ while we wait from them to come out with a patch to close the weaknesses, and since there is already exploit code propagating in the wild, if you plan on using IE instead of switching to a more secure alternative like Mozilla Firefox or Opera, I strongly suggest that you use options 1 and 2 in the workaround table posted at their Security Vulnerability Research and Defense site.

If you've set up Internet Explorer as your default browser, keep in mind that other programs might launch IE automatically to render content. Outlook and Outlook Express in particular do this to pull images embedded within emails or to launch a URL that is within the body of an email. So even if you're switching browsers, make sure you change your default browser settings, or employ one of the workarounds so you're protected even if IE gets launched by another application.

Since exploits remain targeted so far, it remains to be seen if Microsoft will release an out-of-band patch for remediation, or if they will have something ready for the Microsoft Tuesday in January, which would be the second Tuesday of the month. Vulnerability intelligence groups are keeping an eye on the threat landscape and we'll know soon enough if the situation worsens.