Microsoft Corporation (MSFT) sent out a warning on Saturday about a recently discovered security flaw in five versions of Internet Explorer (6 -11), the default browser in many users’ systems, and occupant of half the browsing market. This loophole in the widely-used browser’s security system allows intruders to impersonate official users and gain access to the computer’s memory.
The Redmond, Washington-based software company said in a statement that the flaw is a “remote code execution vulnerability,” meaning that a hacker can “execute arbitrary code,” or any other commands on a targeted machine, provided the user views a malicious but carefully crafted website. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said the company in the advisory released on April 26. It also confirmed that it is aware of “limited, targeted attacks” based on the exploitation of the bug, and that investigations are ongoing.
According to FireEye Inc. (FEYE), the leading security company that discovered the bug, the flaw is a “Zero Day.” Zero Day bugs are so called because they come without warning and are only discovered upon attacks.
Without elaborating, FireEye claimed that a group of hackers were exploiting the vulnerability in an ongoing campaign named “Operation Clandestine Fox.” The Milpitas, California-based security provider discovered that the cybercriminals were focusing on later IE versions – 9 through 11 – to attack systems. The firm added that the APT group (Advanced Persistent Threat) was also the first to get access to a “select number of browser-based 0-day exploits in the past.”
Microsoft is yet to release a security update or instructions for users whose machines may be in danger, but said in a statement: “On completion of this investigation, Microsoft will take the appropriate action to protect our customers.” The company has, however, recommended a few basic measures. Users have been advised to run their systems with Enhanced Security Configuration and to follow guidance by Microsoft Active Protections Program (MAPP) to mitigate this threat.
Windows XP, however, which is estimated to run in 15-25 percent of all PCs, remains under serious threat. Microsoft had earlier this month announced that it had abandoned updates and support, including security patches, for the XP operating system.
“XP users are not safe anymore and this is the first vulnerability that will be not patched for their system,” wrote Christian Tripputi, a researcher at Symantec Corporation (SYMC), in a blog post.