The security flaw allows hackers to gain access to the users computer and according to a Microsoft advisory an attacker could then “install programs; view, change, or delete data; or create new accounts with full user rights”.
Craig Searle, Head of Cyber APAC at BAE Systems Applied Intelligence, explained to Corporate Risk and Insurance
the flaw allows an attacker to execute code on a victim’s computer when they view a maliciously-coded website. And once an attacker has the ability to remotely execute code they effectively have complete control of the victim’s computer.
“Every version of Internet Explorer after IE6 is vulnerable (for reference IE6 was launched in 2001),” Searle said.
IE still holds a significant share of the browser market globally, with estimates varying between 10 to 25% depending on the region which means globally it is a significant issue. Microsoft said that it was aware of “limited, targeted attacks” that exploit the flaw and Searle said his organisation too “is observing a number of threat actors already using the vulnerability, particularly via phishing emails and watering-hole attacks”.
Microsoft said it is taking appropriate action to protect its customers, which may include issuing a security patch, either through its monthly security update release process or as a one-off update.
However, people still using Windows XP will not benefit from a security patch, as Microsoft has stopped supporting the operating system.
Searle advised enterprises to deploy any Microsoft security patch as a priority.
“In addition organisations should consider internal testing or scanning to ensure the patch deployment has been consistent. Missing out just one or two systems leaves the entire organisation vulnerable,” Searle said. “Companies that do not use IE as their ‘standard’ browser should also consider rapid deployment of the patch to ensure any inadvertent usage doesn’t introduce a risk to the organisation.”
Microsoft also advises IE users to follow the guidance in the Microsoft Safety & Security Center
of enabling a firewall, applying all software updates, and installing antimalware software.
A major vulnerability in Microsoft’s Internet Explorer (IE) browser has been uncovered and any organisation using versions six to 11 is at risk.