Update 12:07pm PT: Microsoft says it has fully patched the hole and issued the fix.
Microsoft announced over the weekend that it is fixing a vulnerability in its Internet Explorer browser that could allow hackers to take over your PC.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” the company explained in its security advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The exploit only affects those Windows PC owners who are running IE 6, 7, or 8 and takes advantage of Adobe Flash “to generate a heap spray attack against Internet Explorer version 8.0,” according to security researchers at FireEye. A heap spray attack helps hackers insert their malicious code on a system, but it must be paired with an existing security hole, such as the one in Internet Explorer, that gives them their point of entry into the targeted system.
Furthermore, victims are hit with the attack when they visit a website that is (sometimes unknowingly) hosting malicious code. In this case, a number of security firms, including FireEye and AlienVault, note that the Council on Foreign Relations website was being used to infect anyone who visited it. FireEye says it first heard the CFR website was compromised on Dec. 27, but according to its researchers, the site could have been infected as early as Dec. 21.
Computerworld explains that the hackers are able to look at a specific group of people, or individuals, and target the attack to them by watching what websites they frequent. Whether the criminals wanted to attack specifically people who are interested in the CFR is unknown.
Microsoft says it is currently working on a fix and urges people to update their browsers to the most recent version of Internet Explorer. Keeping your systems up to date is one of our security resolutions for 2013. You can also use Qualys’ browser checker to make sure any plug-ins and your browser are up to date.
Depending on “customer needs” the fix may come in its regular batch of updates to IE, or in a separate, emergency patch.
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more