Update 12:07pm PT: Microsoft says it has fully patched the hole and issued the fix.
Microsoft announced over the weekend that it is fixing a vulnerability in its Internet Explorer browser that could allow hackers to take over your PC.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” the company explained in its security advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The exploit only affects those Windows PC owners who are running IE 6, 7, or 8 and takes advantage of Adobe Flash “to generate a heap spray attack against Internet Explorer version 8.0,” according to security researchers at FireEye. A heap spray attack helps hackers insert their malicious code on a system, but it must be paired with an existing security hole, such as the one in Internet Explorer, that gives them their point of entry into the targeted system.
Furthermore, victims are hit with the attack when they visit a website that is (sometimes unknowingly) hosting malicious code. In this case, a number of security firms, including FireEye and AlienVault, note that the Council on Foreign Relations website was being used to infect anyone who visited it. FireEye says it first heard the CFR website was compromised on Dec. 27, but according to its researchers, the site could have been infected as early as Dec. 21.
Computerworld explains that the hackers are able to look at a specific group of people, or individuals, and target the attack to them by watching what websites they frequent. Whether the criminals wanted to attack specifically people who are interested in the CFR is unknown.
Microsoft says it is currently working on a fix and urges people to update their browsers to the most recent version of Internet Explorer. Keeping your systems up to date is one of our security resolutions for 2013. You can also use Qualys’ browser checker to make sure any plug-ins and your browser are up to date.
Depending on “customer needs” the fix may come in its regular batch of updates to IE, or in a separate, emergency patch.