Skip to main content

Microsoft's Internet Explorer bugs: How worried should you be?

Over the weekend, Microsoft released a statement warning users of Internet Explorer that a flaw in the software could allow attackers to "take complete control" of any computer.

So how worried should you be?

The flaw affects Internet Explorer (IE) versions 6 to 11 and Microsoft said it was already aware of a number of "limited, targeted attacks" to exploit the bug, and since Microsoft's flagship browser accounts for more than 50 per cent of the global browser market, we can assume a number of people have already fallen foul of this security hole.

Security firm FireEye also revealed a sophisticated hacker group has already been exploiting the flaw in a campaign dubbed "Operation Clandestine Fox", which has been targetting US military and financial institutions.

So how does the loophole work?

According to Microsoft, "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."

An attacker could then "host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

After that, the hacker would essentially have unlimited power over the user's system. They could install programs, view, change, or delete data, and create new accounts with full user rights.

But it's not all bad news.

By way of mitigating the dire news, Microsoft pointed out that the vulnerability would still rely on some level of social engineering.

"In all cases," Microsoft argued, "an attacker would have no way to force users to visit these websites."

Instead, a potential hacker would have to "convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."

So following normal Internet best practices such as not opening suspicious links should keep you pretty covered.

Microsoft is apparently still working out how best to deal with the problem.

"On completion of our investigation," the statement reads, "Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update"

Microsoft has advised its users to deploy the "Enhanced Mitigation Experience Toolkit" (EMET), which it says can help to mitigate the damage by adding additional protection layers that make the vulnerability harder to exploit.

Of course, you could just switch to Mozilla's Firefox browser or Google's Chrome browser. If you're a diehard IE fan, you can switch back after a patch comes out.

But this reporter wouldn't advise it.

The attack is also dependent on Adobe Flash to work, so disabling Flash for the time being would also keep you covered.

Microsoft has however confirmed that no fix will be released for Windows XP, which recently reached its official end of life.