Microsoft Corp. (MSFT) is rushing to fix a security flaw in its Internet Explorer browser that is already being used in “limited, targeted attacks,” as antivirus firms and the U.S. government advise switching to alternate products.
To take over a user’s personal computer through the browser’s vulnerability, a hacker would have to persuade that person to click on a link to view a malicious website, Microsoft said in an advisory.
The Explorer security concerns come just weeks after the public discovery of Heartbleed, a flaw in the design of an encryption tool that runs on as many as two-thirds of all active websites. Some edition of Internet Explorer runs on 58 percent of all desktop PCs, according NetMarketShare, compared with 18 percent for Google Inc.’s Chrome, the No. 2 browser.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft said in the advisory, issued on April 26. “On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
The flaw exists in Internet Explorer versions 6 through 11, which means it will affect users of Windows XP, the operating system that Microsoft stopped supporting with security updates earlier this month.
Symantec Corp., the biggest maker of PC-security software, advised customers to switch to another browser until Microsoft releases a software patch to fix the vulnerability and to use a security mitigation tool kit that Microsoft recommended and that will work with Windows XP. The U.S. Department of Homeland Security’s Computer Emergency Readiness Team issued similar advice today.
The vulnerability was found on April 26 by researchers at security firm FireEye Inc. (FEYE), who also discovered the related attacks and named the campaign “Operation Clandestine Fox.” FireEye, in a statement on its blog, declined to provide details of the campaign except to say that it was targeted at Internet Explorer versions 9 through 11, which account for about a quarter of the total browser market.
This type of security flaw is known as a zero-day threat because there is no time between the discovery of the weakness and attacks attempting to exploit it.
Earlier this month, researchers disclosed discovery of the Heartbleed bug, a flaw in OpenSSL encryption software. Researchers pushed out a fix for the vulnerability, which could have enabled hackers to gain access to user names, passwords and other sensitive information, and users were urged to change their website passwords. Companies such as BlackBerry Ltd., Cisco Systems Inc. and Yahoo! Inc. were affected by the bug.
Consumer-data breaches at Target Corp. and Neiman Marcus Group Ltd. in recent months and the spying scandal involving the National Security Agency have also raised concerns about the security of networks and private information.
To contact the reporter on this story: Dina Bass in Seattle at email@example.com
To contact the editors responsible for this story: Pui-Wing Tam at firstname.lastname@example.org Jillian Ward, James Callan