The vulnerability is actively being exploited by hackers, Microsoft has warned, and every active version of Internet Explorer is at risk, including IE 6 to IE 11, Windows XP and Windows RT. The bug could allow hackers to gain access to and hijack a Windows computer, including personal data.
Microsoft warned that it was “aware of limited, targeted attacks” currently under way using the security hole in Internet Explorer, which is used by over 55% of internet users globally, according to the latest data from research firm Netmarketshare.
“This issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message,” Dustin Childs, a group manager of Microsoft’s Trustworthy Computing department, explained in a blog post.
'Appropriate action to protect our customers'
Microsoft issued security advice over the weekend, saying it was investigating the flaw and will take “appropriate action to protect our customers”, including patching the security hole, originally found by security company FireEye.
The flaw affects users of Internet Explorer on multiple Windows software versions, including Windows Vista, 7 and the latest Windows 8. But the biggest threat is posed to the 13-year-old Windows XP, which Microsoft recently withdrew support for and is still used on an estimated 430m computers globally.
It is unknown whether Microsoft will backtrack on its support withdrawal to fix the security hole in Internet Explorer on Windows XP.
“Windows XP users shouldn’t panic, but should certainly be aware of the risk and if at all possible switch to an alternative browser,” Rik Ferguson, vice president of security research at Trend Micro, told the Guardian. “If you aren't going to be switching your operating system any time soon, it would be a good idea to make a permanent switch to another browser. That would make the web-facing portion of your browsing activities one that will be actively updated.”
Warnings over an “XPocalypse”, where a flood of security holes were expected once Microsoft’s security support of Windows XP stopped on 8 April, seem to have been overblown but the risk of using a system that is not updated is still real.
“The fact that we’re seeing a vulnerability that affects Windows XP this soon after support has ended indicates that we’re going to see a trickle of security flaws instead, but a strong trickle at that. Criminals and nation states may well have a stock pile of these bugs but they are very unlikely to unleash them in one go,” Ferguson said.
Take complete control
Microsoft’s security note explained that hackers looking to take advantage of the bug to take complete control of a user’s computer via Internet Explorer would require users to view a “specially crafted website”.
Microsoft advised users to be careful about clicking on suspicious links that could take them to the hacker’s site when browsing, emailing or chatting via instant messenger. The company also explained a series of work arounds that could help protect users, which include installing a Microsoft tool kit that enhances the security of Internet Explorer.
“We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalised,” a Microsoft spokesperson told the Guardian.
• UK government pays £5.5m to Microsoft to extend support for Windows XP, including security patches• Which computer should I buy to replace a Windows XP PC?
guardian.co.uk © Guardian News and Media Limited 2010