Internet Explorer bug used by hackers to attack U.S. firms - Action News
Home WebMail Saturday, November 23, 2024, 08:58 PM | Calgary | -12.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

Internet Explorer bug used by hackers to attack U.S. firms

Are you using Microsoft's Internet Explorer browser? You should stop for now until the company fixes a security flaw that hackers have used to launch attacks, warn U.S. Department of Homeland Security and a U.K. agency.

Malicious Operation Clandestine Fox campaign targets U.S. defence, financial firms

Jason Avery of web security firm TippingPoint is shown. The company recently founded a program that rewards researchers for disclosing vulnerabilities like the recently discovered programming flaw in Internet Explorer. (Eric Gay/Associated Press)

The U.S. and UK governments on Monday advised computer users to consider using alternatives to Microsoft Corp's Internet Explorer browser until the company fixes a security flaw that hackers used to launch attacks.

The Internet Explorer bug, disclosed over the weekend, is the first high-profile computer threat to emerge since Microsoft stopped providing security updates for WindowsXPearlier this month. That means PCs running the 13-year-old operating system will remain unprotected, even after Microsoft releases updates to defend against it.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system.

The recently established UK National Computer Emergency Response Team issued similar advice to British computer users, saying that in addition to considering alternative browsers, they should make sure theirantivirussoftware is current and regularly updated.

Versions 6 to 11 of Internet Explorer dominate desktop browsing, accounting for 55 percent of global market share, according to research firmNetMarketShare.

Bencsth, assistant professor with Hungary's Laboratory of Cryptography and Systems Security, said the best solution was to use another browser such as Google Inc's Chrome or Mozilla's Firefox.

Delayed upgrades

Security experts have long been warning WindowsXPusers to upgrade to Windows 7 or 8 before Microsoft stopped supporting it at the beginning of this month.

The threat that emerged over the weekend could be thewakeupcall that prompts the estimated 15 to 25 percent of PC users who still useXPto dump those systems.

"Everybody should be moving off of it now. They should have done it months ago," said Jeff Williams, director of security strategy with DellSecureWorks.

Roger Kay, president of Endpoint Technologies, expects several hundred million people running WindowsXPto dump those machines for other devices by the end of the year.

They will be looking at Windows machines as well as Apple Inc's Macs andiPadsalong with Google's Chrome laptops and Android tablets, he said.

"Not everybody will necessarily go to Windows, but Microsoft has a good chance at getting their business," he said. "It's got to be a good stimulus for the year."

News of the vulnerability surfaced over the weekend. Cybersecurity software maker FireEye Inc warned that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed "Operation Clandestine Fox."

FireEye, whoseMandiantdivision helps companies respond tocyberattacks, declined to name specific victims or identify the group of hackers, saying that an investigation into the matter is still active.

"It's a campaign of targeted attacks seemingly against U.S.-based firms, currently tied todefenseand financial sectors," saidFireEyespokesmanVitorDeSouzaon Sunday. "It's unclear what the motives of this attack group are, at this point. It appears to be broad-spectrumintelgathering."

In addition to possibly switching to an alternative web browser, US-CERT advised businesses to consider using a free Microsoft security tool known asEMET, or the Enhanced Mitigation Experience Toolkit, to thwart potential attacks. Security experts sayEMETis helpful in staving off attacks, but businesses are sometimes reluctant to use it because it can cause systems to crash due to incompatibility with some software programs.