Science

Internet Explorer security bug: How to stay safe

Worried about the hole in Internet Explorer that has been used to attack U.S. defence and financial firms? Here's how you can protect yourself.

Who's affected, how the bug works and steps you should take

Internet Explorer bug: what you can do

11 years ago
Duration 1:11
CBC News's Lauren O'Neil explains steps you can take to keep your computer safe

A vulnerability in Internet Explorer could let hackers take over your computer.

The bug has already been used by hackers to attack some U.S. financial firms, according to cyber-security software maker FireEye.

Here's what you need to know to protect yourself:

What versions of Internet Explorer are affected?

Internet Explorer 6 to 11 – that is, all of them. However, according to FireEye, cyberattacks have been targeting Internet Explorer 9 and higher.

How does this bug allow my computer to be attacked?

A bug in Internet Explorer versions 6 to 11 makes computers vulnerable to cyberattacks that may allow criminals to take control of your computer. (Damian Dovarganes/Associated Press)

If you have an affected browser and visit a booby-trapped website, the bug leaves you vulnerable to a "drive-by install." That means malicious software (malware) can be installed without your knowledge – you don’t have to click on anything.

Once the software is installed, others can take control of your computer.  

Typically, Microsoft says, you'd be directed to the website by a link in an email or instant message. The email may appear to come from someone you know and the website may look like a website you normally visit.

Is there a fix?

Yes, Microsoft released one on May 1, including a Windows XP version. If you have automatic updates turned on, the patch will install automatically.  Otherwise, open the control panel, click on Windows update, and then click the check for updates button to find and install it.

What can I do to protect myself?

  1. Install the new fix. 
  2. If you haven't done that, switch to another web browser, such as Mozilla Firefox or Google Chrome. This is one of the recommendations from U.S. and U.K. Computer Emergency Readiness Teams from their national security agencies.
  3. Upgrade from Windows XP to a newer version of Windows. Microsoft ended support for XP earlier this month and will no longer be releasing security patches for it.
  4. Download and install Microsoft's Enhanced Mitigation Experience Toolkit. This is recommended by Microsoft. The toolkit adds extra obstacles to make it more difficult for cyberattacks to make use of software vulnerabilities.
  5. Follow other security best-practices. Microsoft recommends that you:
    • ​​Enable a firewall.
    • Apply all software updates.
    • Install anti-virus and anti-spyware software.
    • Exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders.
    • More tips are available here.

What if installing an update, switching browsers, or upgrading Windows aren't an option for me?

There are some technical settings you can change to prevent attacks, says internet security company Sophos on its Naked Security blog.

You can turn off Active Scripting in your browser. You can also turn off an Internet Explorer extension called VGX.DLL. If you have XP, Sophos recommends that you unregister VGX.DLL and "never re-register it."