Bloomberg the Company & Products

Bloomberg Anywhere Login

Bloomberg

Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.

Company

Financial Products

Enterprise Products

Media

Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000

Communications

Industry Products

Media Services

Follow Us

Microsoft Rushes to Fix Security Flaw in Explorer Browser

April 28 (Bloomberg) -- Microsoft Corp. is rushing to fix a security flaw in its Internet Explorer browser that is already being used in “limited, targeted attacks,” as antivirus firms and the U.S. government advise switching to alternate products.

To take over a user’s personal computer through the browser’s vulnerability, a hacker would have to persuade that person to click on a link to view a malicious website, Microsoft said in an advisory.

The Explorer security concerns come just weeks after the public discovery of Heartbleed, a flaw in the design of an encryption tool that runs on as many as two-thirds of all active websites. Some edition of Internet Explorer runs on 58 percent of all desktop PCs, according NetMarketShare, compared with 18 percent for Google Inc.’s Chrome, the No. 2 browser.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft said in the advisory, issued on April 26. “On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

Windows XP

The flaw exists in Internet Explorer versions 6 through 11, which means it will affect users of Windows XP, the operating system that Microsoft stopped supporting with security updates earlier this month.

Symantec Corp., the biggest maker of PC-security software, advised customers to switch to another browser until Microsoft releases a software patch to fix the vulnerability and to use a security mitigation tool kit that Microsoft recommended and that will work with Windows XP. The U.S. Department of Homeland Security’s Computer Emergency Readiness Team issued similar advice today.

The vulnerability was found on April 26 by researchers at security firm FireEye Inc., who also discovered the related attacks and named the campaign “Operation Clandestine Fox.” FireEye, in a statement on its blog, declined to provide details of the campaign except to say that it was targeted at Internet Explorer versions 9 through 11, which account for about a quarter of the total browser market.

Zero-Day Threat

This type of security flaw is known as a zero-day threat because there is no time between the discovery of the weakness and attacks attempting to exploit it.

Earlier this month, researchers disclosed discovery of the Heartbleed bug, a flaw in OpenSSL encryption software. Researchers pushed out a fix for the vulnerability, which could have enabled hackers to gain access to user names, passwords and other sensitive information, and users were urged to change their website passwords. Companies such as BlackBerry Ltd., Cisco Systems Inc. and Yahoo! Inc. were affected by the bug.

Consumer-data breaches at Target Corp. and Neiman Marcus Group Ltd. in recent months and the spying scandal involving the National Security Agency have also raised concerns about the security of networks and private information.

To contact the reporter on this story: Dina Bass in Seattle at dbass2@bloomberg.net

To contact the editors responsible for this story: Pui-Wing Tam at ptam13@bloomberg.net Jillian Ward, James Callan

Please upgrade your Browser

Your browser is out-of-date. Please download one of these excellent browsers:

Chrome, Firefox, Safari, Opera or Internet Explorer.