Software king of the world Microsoft is warning that its Internet Exploder software has a zero day flaw which allows hijackers to install malicious software without any help from users.
All a potential victim has to do is visit the wrong site and they are toast.
In an alert posted on Saturday, Microsoft said it is aware of “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.
The flaw was found by security firm FireEye with discovering the attack.
In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 and the weakness also is present in all earlier versions of IE going back to IE6.
It uses a well-known Flash exploitation technique to bypass security protections on Windows.
So far, Microsoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows.
However, Vole admits that EMET 3.0 does not mitigate this attack, and that affected users should instead rely on EMET 4.1.
According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings.
Vole has also indicated that this is one of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users.
Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.
Of course, XP users could solve the problem by running Firefox or any other browser which is not Internet Explorer.