Hackers have already targeted flaw that affects IE versions 7, 8 and 9, and could be exploited on XP, Vista and Windows 7
Microsoft is urging Windows users to install a free piece of security software to protect PCs from a newly discovered “zero-day” security flaw in its Internet Explorer browser which hackers are already exploiting to take remote control of computers.
“We’re aware of targeted attacks potentially affecting some versions of Internet Explorer,” Microsoft said in a statement.
The bug is found in IE 7, 8 and 9 and can be exploited on computers running XP, Vista and Windows 7, according to the security company Rapid7.
With versions of IE in use on those platforms by hundreds of millions of people, Microsoft has taken the interim measure of offering free security software on its website (the Enhanced Mitigation Experience Toolkit, EMET, at http://www.microsoft.com/en-us/download/details.aspx?id=29851) while it works on rolling out an update to harden the program.
Zero-day vulnerabilities are rare, mostly because they are hard to identify – requiring highly skilled software engineers or hackers with lots of time to scrutinise code for holes that can be exploited to launch attacks.
Security experts only disclosed discovery of eight major zero-day vulnerabilities in all of 2011, according to Symantec.
Eric Romang, a researcher in Luxembourg, discovered the flaw on Friday when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.
When he analysed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or zero-day vulnerability, in IE.
He suspected that it was the work of a hacking crew dubbed “Nitro” by the company because they had previously used zero-day exploits to hack into PCs used at chemicals companies, apparently to steal corporate data.
“Any time you see a zero-day like this, it is concerning,” said Liam O Murchu, a research manager with antivirus software maker Symantec. “There are no patches available. It is very difficult for people to protect themselves.”
But that makes zero-day flaws valuable to commercial and government hackers, and there is known to be a thriving underground business in which companies discover and sell zero-day hacks to others, sometimes for hundreds of thousands of pounds.
Efforts by Microsoft, Google and Mozilla, whose IE, Chrome and Firefox browsers respectively make up the majority of desktop use, to offer bounties for telling them about zero-day flaws has had little effect on the business – although trading in them or distributing them for free is illegal in Germany.
Internet Explorer used to be the world’s most widely-used browser, thanks to its position as the default on Microsoft’s Windows software. But Google’s Chrome, launched only in September 2008, has overtaken it, according to the web monitoring company StatCounter, which says that Chrome has 34% of the world market.
IE has 33%, it says, and Firefox 23%. The next largest is Apple’s Safari at 8%, it says.
Symantec and other major antivirus software makers have already updated their products to protect customers against the newly discovered bug in Internet Explorer. Yet O Murchu said that might not be sufficient to ward off adversaries.
“The danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defenses we have in place,” he said.
Some security experts said computer users should avoid Internet Explorer, even if they install Microsoft’s EMET security tool.
“It doesn’t appear to be completely effective,” said Tod Beardsley, an engineering manager at Rapid7.
Rapid7 released software on Monday that security experts can use to simulate attacks that exploit the security flaw in Internet Explorer to see whether corporate networks are vulnerable to that particular bug.
But in a world where many businesses rely on software written specially to run on IE to carry out corporate functions, avoiding IE may simply not be feasible.
And Marc Maiffret, chief technology officer of the security company BeyondTrust, pointed out that it may not be feasible for some businesses and consumers to install Microsoft’s EMET tool on their PCs.
He said the security software had in some cases proven to be incompatible with existing programs already running on networks.
Dave Marcus, director of advanced research and threat intelligence with Intel’s McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.
“For consumers, it might be easier to simply click on [Google's] Chrome,” Marcus said