An official website of the United States government
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Vulnerabilities found with Microsoft Internet Explorer

  • Published
  • By 375th Communications Squadron
A significant vulnerability has been discovered in Microsoft Internet Explorer. The vulnerability is able to allow adversaries and criminals to gain complete control of computers. The only defense, at this time, is the "security smart behavior" of all users as they access web sites and act upon email.

Department of Homeland Security's U.S. Computer Emergency Response Team reported on April 27 a significant vulnerability affecting Microsoft Internet Explorer versions 6 through 11. The vulnerability allows an adversary/criminal to gain control of a user's computer by the user simply accessing a web page that has malicious code covertly included. The web pages could be part of a legitimate web site, ones that have been poisoned by adversaries/criminals. US CERT has additionally reported that the vulnerability is being actively exploited in the Internet.

Use of Internet Explorer on the AF Network should be limited to military or .mil sites as much as possible. If you must visit a non-military site, the site should be a well-known web site like .gov and you should disable the Adobe Flash Plugin within IE. Directions for disabling plugins will be posted on the Scott AFB Communications Service and Support site.

There are military applications like Defense Connect Online that require Adobe Flash, so people will have to re-enable the plugin before using those applications. The 375th Communications Group highly recommends that members suspend all non-mission web browsing commercial email, social networking sites, BLOGs, etc., until Microsoft creates a fix and it is deployed throughout Scott's Network. The 375 CG will alert users once the patches have been deployed through their computer support organizations.

Another concern with this vulnerability comes from Phishing and Spear Phishing attacks. Adversaries and criminals could send spam emails or emails that look very legitimate that include links to sites that contain the malicious code. It is very important at all times to gage the authenticity of email before clicking. Please follow the R-E-A-D methodology before acting on any email you received. R-E-A-D standards for Relevant - Expected - Addressed Properly - Digitally Signed.

Here is how to use R-E-A-D:

Is the email Relevant to what members are working on?

If it is not Relevant, don't act upon it (Forward or Reply) and don't click on any links in the email.

Was the email Expected? 

If the email comes out of the blue, don't act upon it (Forward or Reply) and don't click on any links in the email. Is the email is relevant and expected; make sure the email Address is correct. Right click on the "from" address and click on the down arrow head on the lower right of the address window and inspect the email address displayed.
 
Compare the address with the legitimate email address that was received previously. Adversaries utilize Spear Phishing attacks through email by writing an email that looks like it comes from a boss or friend, and the only give away is a doctored email address.

Finally, trust only emails that are Digitally signed. If you only act on and use links from Digitally signed email, you will be safe from phishing/spear phishing attacks.

Note, links that appear in those emails could still be hazardous, the person sending the link may be unaware, so even in this case, be security minded.

For home computers, it is highly recommended that members use an alternate browser, such as Apple Safari, Google Chrome, or Mozilla Firefox. If you do not use an alternate browser, it is highly recommend that home computers not be used to access military and military related sites. This is especially true for sites that use user name and passwords for access. Adversaries that gain control of home computers could record user name and passwords for these military systems. This is true for all other sites, including financial institutions, so not using IE for the foreseeable future would be very fortuitous.

The 375th Communications Squadron will post updates to this situation at the Scott Air Force Base Communications Service and Support EIM site.