Microsoft Addresses Zero-Day Vulnerability Found in Internet Explorer


Judy Lau
Staff Writer

While much of the world has already shied away from the infamous Internet Explorer, hackers have shown their fondness for the browser with multiple attacks in the past. Now, they threaten to target both older and recent versions of Internet Explorer.

Known as the “Operation Clandestine Fox,” this new zero-day threat encompasses almost all usable versions of Internet Explorer, including versions 6 through 11, making the browser extremely vulnerable to attacks. According to a report from FireEye, the exploitation “mostly occurs on the versions 9 to 11,” as most modern systems ship with wider versions. This makes up about 26 percent of total users on the Internet. However, there are still people who run on ancient versions of Windows, primarily 6, 7, and 8, which makes the total number of affected users to be 56 percent.

This vulnerability allows hackers to gain control of operating systems and access any data that is on it. The hack attack primarily relies on getting users to visit a website with a malicious code, thus the purpose of the phishing emails, according the ZDNet. Considering that over half of Internet users can be affected by this threat, Microsoft has addressed the issue stating that it will work on a patch.

On the first Thursday of every month, Microsoft reveals its security patches for the second Tuesday of the given month. However, their recent release is an “out of band” fix, meaning that the flaw is severe enough that the company cannot wait any longer to address the vulnerability.

According to ZDNet, Microsoft released an update to address the zero-day vulnerability recently in all versions of Internet Explorer, including Windows XP, despite its support period ending weeks ago.

“The security of our products is something we take incredibly seriously,” General Manager of Microsoft Trustworthy Computing Adrienne Hall stated. “When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers.”

The patch will be automatically downloaded and installed in Windows computers that receive software updates from Microsoft. Users who do not get automatic updates are strongly encouraged to install the patch manually.

Despite this exception, users should not expect Microsoft to routinely include XP users in their security updates, according to IDC analyst Al Gillen. The flaw was primarily addressed because it affects Internet Explorer, not just XP.

Meanwhile, Hall called the gesture to XP users an “exception” because support for the OS ended very recently.

“Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP,” she wrote in a blog post.

Gartner analyst Michael Silver stated that he would not be surprised if Microsoft rescues XP users again in the next six months if another serious flaw crops up.

“Microsoft is walking a fine line of protecting people while not upsetting organizations that did the right thing and moved on time,” he said via email.

Given the recent threats and attacks, government security teams are urging Windows users to switch to Google Chrome or Firefox as their default browser until Microsoft delivers a security fix for the flaw that affects all versions of Internet Explorer. Computer emergency response teams (CERTs) in the United States, United Kingdom, and Sweden have encouraged users to avoid Internet Explorer until the vulnerability is fixed for good.