Hackers targeting newly discovered flaw in Internet Explorer


The logo of Microsoft’s Internet Explorer 9 is displayed on a computer monitor. (Bloomberg News)

Hackers are already at work exploiting a newly discovered flaw in Microsoft’s Internet Explorer that has left more than half of the world’s Web browsers vulnerable to attack, including those on many federal government computers.

Microsoft said it was aware of “limited target attacks” in a security advisory posted Saturday. The flaw affects Internet Explorer versions 6 through 11. However, hackers are mostly targeting versions 9 through 11, according to the security firm FireEye, which discovered the flaw.

The most vulnerable versions represent 26 percent of the total browser market, according to FireEye, which has termed the repeated assaults “Operation Clandestine Fox.” But that number jumps to about 56 percent when you include IE versions 6 through 8.

This is what is known as a “zero-day” threat because there was zero time between the discovery of the vulnerability and the first attack by someone exploiting it.

Not every vulnerable Web browser has been compromised. To exploit the vulnerability, hackers have to trick users into taking some sort of action such as clicking on a link or opening an e-mail attachment.

The flaw relies on a well-known flash exploitation technique to bypass Windows security protection. Once the bad guys are in, they can install malicious software without users knowing.

The more “rights” a user has, the worse the attack could be. Microsoft explains in its security post:

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft says once it finishes investigating the issue it will issue a fix for the problem, either in a monthly security update or a special security update.

Until the patch is released, using a different browser such as Chrome, Safari or Firefox is good idea.

If using another browser isn’t an option, Microsoft suggests downloading its Enhanced Mitigation Experience Toolkit version 4.1 to help guard against attacks until a patch is released.

FireEye suggests disabling the Adobe Flash plugin because the attacks won’t work without it. FireEye also said running IE in enhanced protection mode, which is only available for IE versions 10 and 11, will protect users from attacks.

This is the first major security disaster for users who still run Microsoft XP, the 12-year-old operating system that Microsoft discontinued support for earlier this month. The short-term solutions do not work with the old operating system, and no patches will be released to fix it.

Many federal agencies still use XP despite repeated advance warnings from Microsoft that impending discontinuance of support would leave their computers vulnerable.

About 10 percent of government computers still run XP, including thousands of computers on classified military and diplomatic networks, according to The Washington Post’s Craig Timberg and Ellen Nakashima.

Related:

Internet Explorer bug offers yet another reason to upgrade from Windows XP

AOL reports email security breach

Outdated government computers vulnerable to hackers

Gail Sullivan covers business for the Morning Mix blog.

national

morning-mix

Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Comments
Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read National

national

morning-mix

Success! Check your inbox for details.

See all newsletters

Next Story
Fred Barbash · April 28, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.