Microsoft responds to security hole in Internet Explorer browser

By Christine Mai-Duc

Dec. 31, 2012 12 AM PT

Microsoft has released a temporary fix for its Internet Explorer browser, which the company says has a security hole that could allow hackers to take over a computer.

The security hole, which Microsoft confirmed over the weekend, affects Internet Explorer versions 6, 7 and 8, and could allow malicious code, placed on some unsuspecting websites, to be embedded in a computer system after the browser visited the site.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft wrote in a security advisory released Saturday. The company added that users whose accounts are set up with fewer user rights might not be as affected.

FireEye and other security firms have reported that the website for Washington-based Council on Foreign Relations was being used to infect anyone who visited it. The website reportedly carried the code as early as Dec. 21. The Council on Foreign Relations could not be reached for comment about the status of its website.

The temporary measure, which Microsoft calls a “one-click Fix it,” should block any future attempts by hackers seeking to exploit the security hole, said Andrew Storms, director of security operations at nCircle, an Internet security consulting firm.

Microsoft reminded users that Internet Explorer 9 and 10 don’t contain the vulnerable code, but those versions are not available to Windows XP users. “The IE team is working around the clock to develop a security update to address this vulnerability for earlier versions,” the company wrote in a blog post Saturday.

Microsoft said Monday it had only seen “a limited number” of attacks, and Storms estimates the number is in the thousands.

That’s a small number compared to the universe of Internet users, says Storms, but the publicity it’s received has given Microsoft incentive to act fast until a more permanent patch is released.

“There’s all kinds of bugs out there,” Storms said in an interview. “What this represents is something that is publicly available and free. Anybody wanting to attack their enemy could use this tool right now.”

Microsoft recommended users update their browsers to the latest version if possible, make sure their anti-virus protection is up to date, and enable firewalls. Anyone still running the earlier versions of Internet Explorer should apply the “fix-it” until a permanent security update is provided, the company said. That could take weeks, as it is unclear whether the company’s engineers will release a long-term fix by “Patch Tuesday” next week, the company’s monthly release of security updates.

ALSO:

Cyber-attack in Europe highlights Internet risks

A new brand of cyber security: Hacking the hackers

Forget Kim Kardashian, here’s what we really searched for in 2012