A major security flaw in Microsoft’s Internet Explorer web browser has been discovered, putting millions of users potentially at risk of handing hackers “complete control” of a user’s computer – warns the US Government.
Versions 6 to 11 of the popular web browser are affected, and the bug could allow hackers to take over a victim’s computer. Microsoft has admitted that there have already been some “limited, targeted attacks” to exploit the bug.
Microsoft have issued a security advisory, and stated that those attempting to take advantage of the flaw in IE, would have to host a “specially crafted” website, which would allow them to hijack a user’s computer once they had lured the victim to the website.
Hackers who manage to exploit the flaw would gain equal access rights as the user to their computer, allowing them the ability to do anything, such as changing passwords, installing malicious software or uninstalling the user’s software, and accessing sensitive files.
Microsoft have not released specific details around the nature of the flaw, only mentioning that it is related to the way in which Internet Explorer accesses an item in memory that has been deleted, or improperly allocated.
How to avoid being compromised
The simplest solution is to switch to another browser. This is the action recommended by the US Department of Homeland Security. Microsoft will be frantically trying to push out a patch for Internet Explorer before all of their users switch.
If you are still using Internet Explorer, it is important to bear in mind that if you are only browsing trusted websites, then this flaw won’t affect you. There is no way for hackers to force you to view their specially crafted websites, they will have to coerce you there somehow. Therefore, be wary of suspicious links, especially in emails.
Internet Explorer users still on Windows XP are said to be even more at risk than users on newer operating systems. Windows XP was recently retired by Microsoft, as they officially ended their support for the 13 year old operating system, meaning users of it would no longer receive any patches or security updates and hotfixes.
The effect of this security flaw could be felt more keenly by businesses, where the usage of Internet Explorer is higher than home users (many workplaces do not allow users to install and download third party applications such as alternative web browsers), and where Windows XP is still being used in some capacity.
It is currently not clear whether Microsoft are going to release a patch that will fix the issue for XP users, or if they will only patch the issue for users of newer operating systems – providing further incentive for those users to upgrade to a newer OS like Windows 7 or 8. At the moment, it is not known whether the patch will be built into the next automatic update cycle for Windows (currently happens monthly), or if a one-off patch will be released by Microsoft for users to download.
Another nail in IE’s coffin?
Internet Explorer is the default browser for many PC users, as it comes pre-installed on Windows machines. However, the usage statistics for Internet Explorer have long been in a state of free-fall. In 2008, Internet Explorer users accounted for about 70% of web traffic. That figure has fallen to around 23% today, with many users defecting to Google and Mozilla’s popular Chrome and Firefox browsers. The resurgence of Apple has also seen the Safari browser gain a significant proportion of the market. (source – Statcounter.com)
The current downward trend points to a better experience on other browsers, as well as the growth in popularity of Android and IOS mobile devices and tablets that come with Chrome or Safari preloaded.
This latest news could speed IE’s decline even further. Security is a huge concern at the moment, as proven by the media and public reaction to the widely reported Heart Bleed bug. This new concern, coupled with the recent blunder from Microsoft where they made it necessary for Windows 8.1 users to upgrade in order to continue receiving security patches, could lead to even Microsoft’s staunchest supporters jumping ship to competitor’s products.
Currently, Internet Explorer 6, IE 7, IE 8, IE 9, IE 10 and IE 11 are all affected by the bug.
Update: Microsoft have now fixed this flaw – even for users on XP. You can read our new blog post here.