The Washington PostDemocracy Dies in Darkness

Internet Explorer bug offers yet another reason to upgrade from Windows XP

Workers installed the Microsoft logo on Nokia's headquarters in Espoo, Finland, on Saturday, the day after Nokia completed the sale to Microsoft of its once iconic handset business. (Lehtikuva/ Mikko Stig/AFP/Getty Images)

Update: On Monday, the U.S. Department of Homeland Security issued an unusual warning recommending that users and administrators either use Microsoft's mitigation toolkit or an alternative Web browser until the company officially updates Internet Explorer.

Original post: Microsoft alerted Web users over the weekend of yet another security flaw, this time in its browser, Internet Explorer.

On Saturday, the company put up an official notice saying that the flaw affects anyone using a version of the browser that falls between Internet Explorer 6 and Internet Explorer 11, though attackers appear to be actively targeting only those using the latest three versions of IE. The security firm FireEye, which helped Microsoft in uncovering the bug, estimates that more than 25 percent of Internet users fall in that targeted group.

Hackers install the bug after a user clicks on a bad link or opens an infected attachment. The bug then allows the hackers to masquerade as legitimate users. And, as my colleague Gail Sullivan at the Morning Mix noted, the more permissions a user has, the worse the exploit will be. If you are logged into the administrator account on your computer, for example, the hackers will be able to do a lot more with your credentials.

Criminals are particularly targeting U.S. financial and defense organizations, according to FireEye.

So, what should you do? The most obvious way to avoid becoming a victim of this bug is to use another browser, such as Mozilla's Firefox, Google's Chrome or Apple's Safari.

If you really need to use Internet  Explorer -- some sites, particularly corporate sites, support only Microsoft's browser -- Microsoft has released a tool called the Enhanced Mitigation Experience Toolkit that should mitigate the problem. Users should also turn off Adobe Flash, to stop the attack.

And, once again, it's also a good time to take stock of personal security practices. In general, it's best not to use the administrator account on your computer as the primary profile. Instead, make a separate profile for day-to-day use. Sure, that can be a pain when you want to dig into your computer's systems a bit more deeply, but it's an extra layer of protection that can really help in instances such as these.

And, of course, it's always good to be suspicious of weird links, strange e-mails and odd attachments. These kinds of attacks should put folks on their guard -- particularly for work e-mails. If you get a weird e-mail asking for your password from someone pretending to be your company's administrator, for example, create a fresh e-mail chain with your IT department and ask them about it. Or pick up the phone and call.

As for this particular hack, Microsoft is going to release a fix for the bug. But it won't roll out for customers who use Windows XP, since the firm ended this kind of support for that operating system earlier this month. While Microsoft is continuing to offer antivirus support through July, the update that it is providing in this instance will go only to those who've upgraded from the 12-year-old system.

Correction: An earlier version of this post incorrectly stated that Microsoft had released a patch for the problem on Monday afternoon. That patch was released to resolve a different issue.