In an advisory
issued on Monday night, Microsoft stated it was "investigating public reports" of a vulnerability found in several versions of its browser, including IE6, IE7, IE8 and IE9. Any of these browsers running on Windows XP, Vista and Windows 7 all contain the remote code execution vulnerability.
The newest version, IE10, on Windows 8, which has been scheduled
to be released for general availability on Oct. 26, is not impacted by this vulnerability.
According to Computerworld
, attackers are exploiting a "zero-day" vulnerability in various versions of Internet Explorer. Security experts say exploiters are "hijacking Windows PCs that cruise to malicious or compromised websites." Users that stumble upon an infected website will give the exploiters user permissions of their computers, said security company Rapid7
on the Metasploit Project site.
In addition, PC World
notes, this could include sites that display infected advertisements.
If this vulnerability is exploited, this means that attackers could use/control their computers the same way users would, which could be risky on a variety of levels. Some security experts are advising users to discontinue using Internet Explorer until Microsoft issues a fix.
"Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available," a Rapid7 post said. Eric Romang, a security researcher and Metasploit contributor, had first stumbled upon this IE exploit.
Other agencies are also advising discontinuation of Internet Explorer. Germany's Federal Office for Information Security, is also urging users to move to another browser until an IE fix is released, reported Computerworld
However, some security experts feel it is too soon to go into panic mode.
"I think it's a bit too early to panic," Andrew Storms, director of security operations at nCircle Security, when asked to comment on BSI's advice, told Computerworld. "Granted, if the attacks escalate and the patch takes too long [to arrive] for comfort, then making the switch to another browser, at least temporarily, is a simple way to mitigate the threat."
Microsoft did offer some tips
for users to use to better protect themselves until a patch is released. However, some of the fixes could impact web usability.
noted Rapid7, which develops the Metasploit penetration testing tool has been updated; this means Microsoft needs to move on this fix immediately, Information Week said.
Microsoft said it was conducting an investigation and that the company will "take the appropriate action" to provide customer protection. At this time no timetable for the IE patch has been announced, but the company indicated the fix will either be included in the company's monthly update, or in the form of a separate "out-of-cycle" update.
The technology giant currently holds a very large share
of the browser market, so this exploit can impact a lot of users.