The bug is the first high-profile security flaw to emerge since Microsoft stopped providing security updates for Windows XP earlier this month. That means PCs running the 13-year old operating system could remain unprotected against hackers seeking to exploit the newly uncovered flaw, even after Microsoft figures out how to defend against it.
The United States Computer Emergency Readiness Team, a part of Homeland Security known as US-CERT, said in an advisory released on Monday morning that the vulnerability in versions 6 to 11 of Internet Explorer could lead to the complete compromise of an affected system.
Microsoft had, earlier in the day, warned users of the security flaw in the browser. Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The vulnerability is a remote code execution vulnerability, it said in a blogpost.
On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs, Microsoft said.
We are currently unaware of a practical solution to this problem, Carnegie Mellons Software Engineering Institute warned in a separate advisory, that US-CERT linked to in its warning. Cybersecurity software maker FireEye Inc warned that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed Operation Clandestine Fox. FireEye, whose Mandiant division helps companies respond to cyber attacks, declined to name specific victims, saying that an investigation into the matter is still active.
Open to attacks
* PCs running the 13-year old operating system could remain unprotected against hackers
* Microsoft says will take appropriate action to protect customers, which may include providing a solution through a monthly security update release process