Internet Explorer security bug: How to stay safe

Worried about the hole in Internet Explorer that has been used to attack U.S. defence and financial firms? Here's how you can protect yourself.

Who's affected, how the bug works and steps you should take

Internet Explorer bug: what you can do

CBC News

7 years ago
CBC News's Lauren O'Neil explains steps you can take to keep your computer safe 1:11

A vulnerability in Internet Explorer could let hackers take over your computer.

The bug has already been used by hackers to attack some U.S. financial firms, according to cyber-security software maker FireEye.

Here's what you need to know to protect yourself:

What versions of Internet Explorer are affected?

Internet Explorer 6 to 11 – that is, all of them. However, according to FireEye, cyberattacks have been targeting Internet Explorer 9 and higher.

How does this bug allow my computer to be attacked?

A bug in Internet Explorer versions 6 to 11 makes computers vulnerable to cyberattacks that may allow criminals to take control of your computer. (Damian Dovarganes/Associated Press)

If you have an affected browser and visit a booby-trapped website, the bug leaves you vulnerable to a "drive-by install." That means malicious software (malware) can be installed without your knowledge – you don’t have to click on anything.

Once the software is installed, others can take control of your computer.  

Typically, Microsoft says, you'd be directed to the website by a link in an email or instant message. The email may appear to come from someone you know and the website may look like a website you normally visit.

Is there a fix?

Yes, Microsoft released one on May 1, including a Windows XP version. If you have automatic updates turned on, the patch will install automatically.  Otherwise, open the control panel, click on Windows update, and then click the check for updates button to find and install it.

What can I do to protect myself?

  1. Install the new fix. 
  2. If you haven't done that, switch to another web browser, such as Mozilla Firefox or Google Chrome. This is one of the recommendations from U.S. and U.K. Computer Emergency Readiness Teams from their national security agencies.
  3. Upgrade from Windows XP to a newer version of Windows. Microsoft ended support for XP earlier this month and will no longer be releasing security patches for it.
  4. Download and install Microsoft's Enhanced Mitigation Experience Toolkit. This is recommended by Microsoft. The toolkit adds extra obstacles to make it more difficult for cyberattacks to make use of software vulnerabilities.
  5. Follow other security best-practices. Microsoft recommends that you:
    • ​​Enable a firewall.
    • Apply all software updates.
    • Install anti-virus and anti-spyware software.
    • Exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders.
    • More tips are available here.

What if installing an update, switching browsers, or upgrading Windows aren't an option for me?

There are some technical settings you can change to prevent attacks, says internet security company Sophos on its Naked Security blog.

You can turn off Active Scripting in your browser. You can also turn off an Internet Explorer extension called VGX.DLL. If you have XP, Sophos recommends that you unregister VGX.DLL and "never re-register it."


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversationCreate account

Already have an account?