Microsoft warns of major bug in Internet Explorer

Share with others:

Print Email Read Later

SEATTLE -- Microsoft is rushing to fix a security flaw in its Internet Explorer browser that is already being used in "limited, targeted attacks," as antivirus firms and the U.S. government advise switching to alternate products.

To take over a user's personal computer through the browser's vulnerability, a hacker would have to persuade that person to click on a link to view a malicious website, Microsoft said in an advisory.

The Explorer security concerns come just weeks after the public discovery of Heartbleed, a flaw in the design of an encryption tool that runs on as many as two-thirds of all active websites. Some edition of Internet Explorer runs on 58 percent of all desktop PCs, according NetMarketShare, compared with 18 percent for Google's Chrome, the No. 2 browser.

KTNV: Consumer Alert: Internet Explorer

KTNV: Consumer Alert: Internet Explorer

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," Microsoft said in the advisory, issued Saturday. "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

The flaw exists in Internet Explorer versions 6 through 11, which means it will affect users of Windows XP, the operating system that Microsoft stopped supporting with security updates earlier this month.

Symantec, the biggest maker of PC-security software, advised customers to switch to another browser until Microsoft releases a software patch to fix the vulnerability and to use a security mitigation tool kit that Microsoft recommended and that will work with Windows XP. The U.S. Department of Homeland Security's Computer Emergency Readiness Team issued similar advice Monday.

The vulnerability was found Saturday by researchers at security firm FireEye, who also discovered the related attacks and named the campaign "Operation Clandestine Fox." FireEye, in a statement on its blog, declined to provide details of the campaign except to say it was targeted at Internet Explorer versions 9 through 11, which account for about a quarter of the total browser market.

This type of security flaw is known as a zero-day threat because there is no time between the discovery of the weakness and attacks attempting to exploit it.

Earlier this month, researchers disclosed discovery of the Heartbleed bug, a flaw in OpenSSL encryption software. Researchers pushed out a fix for the vulnerability, which could have enabled hackers to gain access to user names, passwords and other sensitive information, and users were urged to change their website passwords. Companies such as BlackBerry, Cisco Systems and Yahoo were affected by the bug.

Consumer-data breaches at Target and Neiman Marcus in recent months and the spying scandal involving the National Security Agency have also raised concerns about the security of networks and private information.

Windows XP users are getting their first taste of life without security updates after the discovery of the Internet Explorer browser flaw.

Security experts advise that Windows users avoid Internet Explorer until Microsoft issues a patch for the problem, which will likely happen May 13.

But that patch will not protect users of Windows XP. That's because Microsoft stopped supporting Windows XP earlier this month.

After 13 years of maintaining Windows XP, Microsoft said it would no longer issue security updates for the popular operating system.


You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here