On Saturday, April 26th, Microsoft issued a security advisory outlining the first significant security flaw since support for Windows XP ended earlier this month: a remote code execution vulnerability discovered in Internet Explorer 6, 7, 8, 9, 10, and 11.
According to cybersecurity firm FireEye, this vulnerability is being exploited by a sophisticated group of hackers targeting US companies in the defense and financial sectors in an effort called “Operation Clandestine Fox.”
The main goal seems to be luring IE users to click on a malicious link, which leads to an attack website, which then allows the hackers to gain total control of the individual’s PC. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft’s security updates states. “If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
As of April 28th, no patch or fix was available, although Microsoft said its engineers are working diligently to address the vulnerability — and didn’t rule out releasing an emergency, out-of-cycle security update to deal with it. But with 58% of PCs running Internet Explorer, according to NetMarketShare, the flaw could potentially affect millions of users. The widespread nature of the vulnerability, along with industries targeted by it, even motivated the US Department of Homeland Security’s Computer Emergency Readiness team to advise users to consider an alternative to Internet Explorer.
So how can you keep your computers and sensitive business data safe?
Avoid using Internet Explorer for day-to-day web surfing until the issue is resolved (popular alternative browsers include Chrome and Safari).
If your business uses custom applications that require Internet Explorer, avoid visiting any public sites with the browser.
DO NOT click on ANY embedded links in email messages or on public web pages unless you know the sender or source.
DO NOT browse the Internet from PCs that access confidential data like credit card information, protected health information, or personally identifiable information.
Call your trusted IT provider BEFORE clicking on anything that appears suspicious. Still using Windows XP? You’re risk level runs even higher. Once Microsoft does fix this flaw, it WILL NOT apply to XP systems. Many security experts believe this is only the first of many attacks that will look to exploit Microsoft’s cessation of support for the outdated operating systems. Have questions about this new Internet Explorer vulnerability? Unsure whether you can still use the browser to access your custom business applications? Contact us today. We take the security of your systems and your data seriously, we have the expertise and access to services that can provide true protection from threats such as this one.