Dubai: Microsoft is scrambling to fix a security flaw in its Internet Explorer 6 to 11 browser versions that is already being used in “limited, targeted attacks.”
FireEye Research Labs identified a zero-day exploit (an attack that exploits a previously unknown vulnerability) used in targeted attacks on Saturday.
“The issue is very serious because a lot of people are running Internet Explorer. What will be happen if a PC or laptop is infected is that the hacker will have the same rights on the computer as the administrator,” Amer Chebaro, Regional Manager for Symantec, Gulf and Levant, told Gulf News.
He said an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The DLL file is the one causing this vulnerability. Even though it affects versions 6 to 11, the exploit targets Internet Explorer 9 and higher.
Microsoft said on its website that the vulnerability may corrupt memory in a way that could allow an attacker to execute an arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
“It is known that this vulnerability was used by malicious software in some targeted attacks. It may be used in drive-by exploits, which help to inject a malicious code into the HTML code of a website. After a user gets to this website, malicious software will be downloaded to his system secretly and automatically,” Vyacheslav Zakorzhevsky, Head of the vulnerability research group at Kaspersky Labs, said.
In this particular case, he said the drive-by attack would be successful if a user surfed the web with Internet Explorer and the Adobe Flash Player plug-in.
Microsoft said it is taking appropriate action to protect its customers, which may include issuing a security patch, either through its monthly security update release process or as a one-off update.
Wary
Microsoft did not respond to Gulf News’ queries.
“The best way is to install another popular browser and stick to browsing reputable websites and be wary of clicking on links in unsolicited email,” Chebaro said.
According to FireEye, the vulnerable versions of Internet Explorer accounted for 26.25 per cent of the browser market in 2013.
Symantec said it had carried out tests that confirmed the vulnerability crashes Internet Explorer on Windows XP. “This will be the first zero-day vulnerability that will not be patched for Windows XP users,” Chebaro said.
Microsoft is working on a patch, but he said it would not be made available for XP users so a Symantec tool offers a workaround for those users.
Microsoft stopped support for Windows XP security updates on April 8.
Chebaro said XP users should consider upgrading to the Windows 7 or Windows 8.1 version.
“We have created a small script on our website where the user can go and double click it will unregister VGX.DLL and users need to update their antivirus software,” Chebaro said.