UPDATE: Microsoft releases Internet Explorer security patch, for Windows XP too
If you are using Microsoft’s Internet Explorer (IE), the U.S. Department of Homeland security is advising you to switch to another web browser until Microsoft releases a fix for a serious security issue. And if you are still a Microsoft XP user, as you may know, Microsoft has stopped support for this operating system April 8th of this year, so you should either keep using a different internet browser or upgrade your operating system software and/or computer – Microsoft will not be releasing a security update for XP. Security firms estimate that between 15 and 25 percent of the world’s PCs still run Windows XP. Choices for web browsers include Google Chrome and Mozilla Firefox.
The IE security hole was uncovered by Milpitas, California based internet security software company FireEye Research Labs, on Saturday. The bug allows hackers to get around security protections in the Windows operating system. Computers can then get infected when visiting a compromised website. It involves a corrupted Adobe Flash file to attack the victim’s computer, so users can avoid it also by turning off Adobe Flash.
“The attack will not work without Adobe Flash,” said. “Disabling the Flash plugin within IE will prevent the exploit from functioning.”
(via USA Today)
The vulnerability could allow a hacker to take complete control of an affected system. The bug affects all versions of Internet Explorer 6 through 11, which accounts for 55 percent of the PC browser market, according to tech research firm NetMarketShare. It is currently targeting IE9 and IE10 (about 25% run this), according to FireEye. They say hackers exploiting the bug are calling their campaign “Operation Clandestine Fox.”
“It’s a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors,” FireEye spokesman Vitor De Souza said via email. “It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.”
(via HuffingtonPost)
Microsoft said it was “aware of limited, targeted attacks that attempt to exploit” the vulnerability. They are called “watering-hole attacks”, explains Satnam Narang, threat researcher at computer security company Symantec in Mountain View, California.
Rather than directly reach out to a victim, the hackers inject their code into a “normal, everyday website” that the victim visits, he said. Code hidden on the site then infects their computers.
“It’s called a watering-hole attack because if you’re a lion, you go to the watering hole because you know that’s where the animals go to drink.”
(via USA Today)
Microsoft confirmed Saturday that they are working on the code to close the security hole. They typically release security patches on the second Tuesday of each month, known as Patch Tuesday. Microsoft has not confirmed whether they will release the security patch for this vulnerability before the next Patch Tuesday, May 14th.
Alternative web browsers, Google Chrome and Mozilla Firefox: