An article was posted online today at a tech publication that mentions the Internet Explorer zero-day vulnerability and includes suggestions from un-named security experts to ‘switch to an alternative internet browser, such as Firefox or Google Chrome.’
This is all overblown.
Yes, an unpatched security vulnerability exists in Internet Explorer. Yes, it’s being actively exploited on the Internet, and Yes, even visiting legitimate websites can lead to compromise*.
No, this isn’t very different than previously announced zero day exploits (except we’re seeing a wider distribution of the exploit and more machines being hacked.) No, the world isn’t coming to an end, and No, you don’t need to change your browser.
ZDNet security bloggers are claming that Microsoft is on target to release an out-of-band security patch for this IE issue as early as tomorrow (December 17th). When it is released, install the patch. Until then, read the workarounds posted by Microsoft to help protect yourself from this issue.
While you’re at it, install all the other security patches that may be missing on your system. One unpatched issue on your system is equal to a zero-day flaw that may be exploited on the Internet. Unless you’re fully patched, you’re not patched at all.
* Hackers are planting the exploit on non-nefarious websites via SQL injection techniques. This means that visiting supposedly safe websites can lead to compromise via this IE flaw. These ‘legit’ websites have even bigger issues, as this means attackers were able to exploit poor SQL coding practices on these sites that enables hackers to inject evil code on the websites.
Eric's Musings on the Security World 
Leave a comment