Hackers are already at work exploiting a newly discovered flaw in Microsoft’s Internet Explorer that has left more than half of the world’s Web browsers vulnerable to attack, including those on many federal government computers.
Microsoft said it was aware of “limited target attacks” in a security advisory posted Saturday. The flaw affects Internet Explorer versions 6 through 11. However, hackers are mostly targeting versions 9 through 11, according to the security firm FireEye, which discovered the flaw.
The most vulnerable versions represent 26 percent of the total browser market, according to FireEye, which has termed the repeated assaults “Operation Clandestine Fox.” But that number jumps to about 56 percent when you include IE versions 6 through 8.
This is what is known as a “zero-day” threat because there was zero time between the discovery of the vulnerability and the first attack by someone exploiting it.
Not every vulnerable Web browser has been compromised. To exploit the vulnerability, hackers have to trick users into taking some sort of action such as clicking on a link or opening an e-mail attachment.
The flaw relies on a well-known flash exploitation technique to bypass Windows security protection. Once the bad guys are in, they can install malicious software without users knowing.
The more “rights” a user has, the worse the attack could be. Microsoft explains in its security post:
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft says once it finishes investigating the issue it will issue a fix for the problem, either in a monthly security update or a special security update.
Until the patch is released, using a different browser such as Chrome, Safari or Firefox is good idea.
If using another browser isn’t an option, Microsoft suggests downloading its Enhanced Mitigation Experience Toolkit version 4.1 to help guard against attacks until a patch is released.
FireEye suggests disabling the Adobe Flash plugin because the attacks won’t work without it. FireEye also said running IE in enhanced protection mode, which is only available for IE versions 10 and 11, will protect users from attacks.
This is the first major security disaster for users who still run Microsoft XP, the 12-year-old operating system that Microsoft discontinued support for earlier this month. The short-term solutions do not work with the old operating system, and no patches will be released to fix it.
Many federal agencies still use XP despite repeated advance warnings from Microsoft that impending discontinuance of support would leave their computers vulnerable.
About 10 percent of government computers still run XP, including thousands of computers on classified military and diplomatic networks, according to The Washington Post’s Craig Timberg and Ellen Nakashima.