It’s been all over the news while we were traveling to Arizona: “Internet Explorer Vulnerability allows hackers to take control of your computer” and “U.S. Department of Homeland Security recommends that users and administrators use a different web browser until an official update is available.” Even Microsoft issued an official security bulletin on the subject.
Man, that’s enough to freak anyone out, isn’t it?
But if you own a Surface RT tablet, some of you might be thinking: “crap, I don’t have an alternative to IE!”
We got lot of questions on this topic. Some folks even asked if they should stop surfing the web on their Surface tablets. It is true that on Surface RT and Surface 2 you do not have an alternative browser to use.
BUT DO NOT PANIC!
A lot of this is media hype, there is nothing better going on, so they hype anything up. The reality is that it’s not nearly as bad as they make it out to be.
Here is the truth about Internet Explorer Vulnerability on Surface tablets:
- The flaw, called CVE-2014-1776, requires that you visit a specially crafted website in order to be exploited – that is not a very likely thing to happen.
- CVE-2014-1776 uses Adobe Flash as an attack route – Microsoft released an update to for Adobe Flash Player in Internet Explorer on all editions of Windows 8 (2961887). You can download it on your Surface Pro tablet by checking for updates using the Microsoft Update service.
- There is another work around for those of you that feel you know what you are doing: to alter the Access Control List (ACL) within the VGX.DLL Internet Explorer program file, here are Microsoft’s instructions: https://technet.microsoft.com/en-us/library/security/2755801.aspx
- US CERT says that if you’re unable to follow the above recommendations in step 2 or 3, then you should “consider using an alternative browser”.
- “Surface RT devices are more secured than any other devices. Since RT is ARM based and not Intel/x86, malware/viruses/security breaches written for the standard versions of Windows will not infect Surface RT.” This is a direct quote from my chat conversation with Microsoft support. I contacted them because I felt the above instructions where not clear for Surface RTs, and so they confirmed that this bug will not affect Surface RT or Surface 2 devices.
So, there was no need for me to update my Surface RT or Surface 2 and Tim’s Surface Pro updated automatically, thus we are all set – not nearly as horrible as the media made it out to be, is it?
Keep in mind that the update for Surface Pro/Pro2s is not cumulative and requires your Surface to be up-to-date with other updates – in particular update 2942844, released in early April – in order to make the Adobe Flash Update available.
Note: Another little bit of advice I got from Microsoft support was that if you want to feel better, you can enable the option “Warn if changing between secure and not secure mode” in Internet Options of IE. To do so, go to Desktop mode and open Internet Explorer. Under Internet Options find Advanced tab. Scroll down and check “Warn if changing between secure and not secure mode” This will warn you just in case the IE mode will switch to not secured one.
I hope this puts your mind at ease about the IE vulnerability on your Surface tablet.