Just as the world finished getting over Heartbleed, security experts at FireEye Inc have discovered another vulnerability over the weekend. The advisory released on Monday by the Department of Homeland Security said that those users running Internet Explorer versions 6 through to version 11 could have their whole computer system affected if they visit the malicious website.
Computer users are advised to abandon Microsoft's Internet Explorer browser until the company fixes the security flaw that hackers have exploited and created a new type of attack. The bug is the first of its kind to emerge since Microsoft stopped offering security updates for Windows XP earlier this month.
How it works: Hackers set up a website that installs malware into a normal, everyday website that the victim visits. When users unwittingly visit that website the hidden malware then seeps into the user’s computer and gives hackers total control. They could then change or delete data, install malicious programs or create accounts that would give them full user rights.
Cyber security software maker FireEye whose Mandiant division helps companies respond to cyber attacks, refused to identify any of the victims or name the group of malicious people, saying that an investigation into the matter is still going on.
That means even after Microsoft figures out a solution to fix the bug, PCs running the 13-year old operating system could continue to remain unprotected against hackers trying to exploit the newly uncovered flaw. According to the security firm estimate, nearly 15 to 25 percent of the world’s PCs still run Windows XP.
Microsoft said it was undergoing an investigation and working on a fix to the bug. Once it completes the investigation, it will issue a solution for the problem either as a monthly security update or a special security update.
Until the patch is released, the company is urging users to update their software, validate a firewall, and install antivirus software. Users are also asked to try out different browser such as Chrome, Safari or Firefox. And if the user does not want another browser, Microsoft suggests downloading its Enhanced Mitigation Experience Toolkit version 4.1 to help guard against attacks until a patch is released.
FireEye said disabling the Adobe Flash plugin on Internet Explorer will prevent the exploit because the attacks won’t work without it. And also running IE in enhanced protection mode, which is only available for IE versions 10 and 11, will safeguard users from attacks.